Author Archives: privacynewshighlights

01-15 November 2013

Canada

CA – Canadian Minister: Province to Address Gap

Saskatchewan Justice Minister Gord Wyant has said the government must address a “gap” in privacy protection for private-sector employees. “We, like Ontario and the eastern provinces, have relied on the federal legislation with respect to privacy matters in the private sector,” Wyant said. Referencing calls for change by Saskatchewan Information and Privacy Commissioner Gary Dickson, Wyant added “there’s a little bit of a gap when it comes to that area.” To address the issues, he said, “We’ve consolidated all the labour legislation into one piece, and we think that there’s a possibility of perhaps bringing some regulations forward under the employment act to cover off that issue.” [The Regina Leader-Post]

Consumer

WW – Brick-and-Mortars Catch Up on Customer Tracking

Brick-and-mortar retailers are using face scanners in an effort to improve such things as staffing, layout and marketing. Many businesses, aware of consumers’ reticence to be tracked, promise to only use the data in aggregate unless consumers give their consent. Shoppers are also increasingly asked to sign up for loyalty card programs that would allow the retailer to track them in exchange for discounts. “They are just trying to get real smart with data in the way the e-commerce guys are smart with data,” said the head of one tracking-device manufacturer. But the chief executive of a customer science company said, “Too much is happening without consumer consent.” [Reuters] See also: [Pandora Looks Past the Tracking Cookie by Mining User Data]

WW – Survey: Shoppers Unsure About Tracking-for-Coupons Model

While consumers are becoming more aware that they may be tracked as they walk around brick-and-mortar stores, “plenty still feel uncomfortable about it.” That’s according to a survey that found that nearly half of respondents said they would find it invasive if a store sent them a text-messaged coupon as they walked past that store. But only 35% said they found it invasive for a website to know their geographic location, suggesting “people are less comfortable being tracked on their mobile devices in a store than as they surf around the web,” the report states. [PC World]

US – Netflix Plaintiffs Say Settlement Doesn’t Help Them

Netflix users are asking the Ninth Circuit Court of Appeals to vacate a settlement that would see the company donating millions of dollars to nonprofits. The users say the settlement doesn’t benefit them, stating they were affected by a privacy glitch in which Netflix allegedly held on to subscriber names after they had cancelled their memberships, a violation of the Video Privacy Protection Act of 1998. Netflix has denied violating the law but agreed to destroy the personal information and says the $9 million settlement is in line with privacy settlements by Facebook and Google. [MediaPost]

Electronic Records

US – Are There “Limitless” Privacy Risks to New Health Exchanges?

A government report on the Affordable Care Act health insurance exchanges details the “high risks” and potential “limitless” privacy concerns with the site. One key official in the Obama administration testified earlier this month that he was not copied on the memo detailing the risks. Centers for Medicare and Medicaid Services Deputy Director and Deputy Chief Information Officer Henry Chao, who “is in charge of … the operations of the agency’s information systems security program,” said, “It is disturbing” that he was not copied on the memo, adding, “This is … a fairly nonstandard way to document a decision.” [Forbes]

US – EHRs Make Audit Trails Much Easier To Follow

Electronic health records have made catching unauthorized viewers much easier. And that has illustrated the frequency with which unauthorized access occurs, such as last month’s notification by Minnesota’s Allina Health System that 3,800 patients’ personal health data had been breached by a medical assistant who had been improperly accessing the information for three years. The Department of Health and Human Services reports that since 2009, 27 million individuals have had their personal health data compromised. [Healthcare IT News]

Encryption

WW – Microsoft Does Not Encrypt Server-to-Server Traffic

A Microsoft executive told members of the European Parliament that the company does not encrypt server-to-server data traffic. Dorothee Belz, Microsoft EMEA VP for Legal and Corporate Affairs said that the company is “currently reviewing [its] security system.” Belz appeared before a European Parliamentary committee with representatives from Google and Facebook. Earlier, she had stated that Microsoft did not allow “direct access” to its servers. The revelation about the unencrypted traffic between Microsoft servers follows close on the heels of leaked documents that indicate the NSA and GCHQ tapped into such connections between Google data centers to access data. [Ars Technica] [The Register]

US – Exclusive Interview with Lavabit Founder on the Day the FBI Came Calling

Ladar Levison remembers June 28 pretty well. Temperatures reached 108 degrees in Dallas, TX, and Sandra Bullock’s The Heat was released nationwide. But Levison was feeling a different kind of heat that day when the FBI showed up unannounced at his Dallas apartment and told him they wanted access to his company’s computer system—a system he’d designed specifically to protect his customers from the threat of surveillance. The Privacy Advisor describes his legal ordeal and his new business venture, one he hopes protects data in a way his last service, in the end, did not. [Privacy Advisor]

US – US Justice Dept. Files Brief in Lavabit Appeal

The US Justice Department has filed an appellate brief in the Lavabit case. The government maintains that Lavabit founder Ladar Levison’s promise of security to his customers does not exempt him or his company from having to comply with court orders. According to the brief, DOJ wanted the metadata from a single Lavabit account. (Although the investigation’s target is not specified, it is widely believed to be Edward Snowden.) The DOJ dismissed Levison’s concerns that it would use the SSL key it sought to peruse accounts of other Lavabit users. [WIRED] [ComputerWorld]

EU Developments

EU – Reding Says Data Protection Outside of TTIP’s Scope, Calls for an EU NSA

Officials in Brussels say Germany’s plan to push for tough data protection controls for the Transatlantic Trade and Investment Partnership is a “big surprise.” [Reuters] Despite a push from Germany to include data protection rules within the Transatlantic Trade and Investment Partnership in the wake of U.S. spying revelations, European Commission Vice President Viviane Reding says data protection is outside of the EU-U.S. pact’s scope. “The commission’s view and the position taken by all leaders at the recent European Council is clear: Let’s not mix up the phone tapping issue with the ongoing trade talks,” Reding said. Reding has also called for the EU to create its own intelligence agency by 2020 in order to “level the playing field” with the U.S. Meanwhile, U.S. Attorney General Eric Holder says the U.S. is taking note of Europe’s concerns. [Financial Times]

EU – Court Rules Google Must Remove Images from Search Results

A French court has ruled Google must remove compromising photos of a Formula One car racing chief from its Internet search results. The ruling follows Max Mosley’s lawsuit aiming to force Google to filter images that were originally published in a British newspaper. Mosley claimed French law forbids taking and distributing images of someone in a private space without permission, while Google argued freedom of speech. Google says it will appeal the decision. “At this point in time, the pendulum is swinging toward individuals’ privacy and away from freedom of speech,” said one privacy analyst. [The Economic Times

UK – ICO: Cookie Replacements Must Follow Rules

The UK Information Commissioner’s Office (ICO) has acknowledged that it’s aware of initiatives to forego cookies for new tracking technologies and says these new technologies will need to abide by the same rules as cookies. Encouraging a Privacy by Design approach, an ICO spokesperson said companies must be upfront with customers and offer “users a clear choice as to the options available to them.” Meanwhile, Mozilla’s plans to automatically block certain cookies in its browser are on hold after it announced plans to work with the Cookie Clearinghouse initiative at Stanford University on a “more nuanced approach.” The organization now says it’s unsure whether it will adopt the feature. [Out-Law.com]

EU – Garante Provides General Rules Following Outsourcing’s Growth

Following the growth of the outsourcing of call center services outside the EU, the Italian Data Protection Authority, the Garante, is providing its general rules to protect the privacy of Italian citizens. “At the end of a complex investigation, the Garante stressed the rules to be applied to both companies and government agencies, whose customer care or call centers are located outside the EU.” [Full Story]

EU – Garante, DIS Enter Cooperative Protocol

The Garante, Italy’s data protection authority, and DIS, the country’s intelligence department, have entered into a cooperation protocol. “This is an extraordinary agreement entered into by very key sensitive functions of the Italian State and a great signal of transparency for the world in reply to all worrying news on Datagate we daily read on newspapers or on the Internet.” “At the same time this is a proof of evidence that a different model of cooperation on the ground of the intelligence services is possible. Citizens have to believe that another world is possible and their rights might be protected together with their security and safety.” [Privacy Advisor]

EU – Regulation Implementation May Come Sooner Than 2015 After All

The European Commission is prepared to ignore attempts to delay implementation of the proposed data protection regulation. Instead, the commission plans to push toward implementing the regulation by spring of 2014, despite conclusions adopted at the summit last week suggesting the regulation be introduced by 2015. Financial Times reports the vote’s delay until at least next year, should that come to pass, is an “important victory” for U.S. tech giants who will need the time to bolster their case for a watered-down version of the reforms while the heated climate surrounding U.S. surveillance revelations cools down. [EurActiv]

UK – Message-Sender Successfully Appeals 300,000 GBP Fine

Christopher Niebel has successfully appealed a 300,000 GBP fine for sending spam text messages after challenging “whether the Information Commissioner’s Office (ICO) was right to issue him with a fine for his part in what the ICO considered was a serious breach of UK privacy laws.” Niebel and fellow Tetrus Telecoms co-owner Gary McNeish were fined a combined 440,000 GBP by the ICO last year “for breaching the UK’s Privacy and Electronic Communications Regulations (PECR) for engaging in unsolicited direct marketing activities.” However, an Information Rights Tribunal upheld Niebel’s appeal, ruling “insufficient damage or distress had been caused to recipients to merit the penalty being imposed,” the report states. [Out-Law.com]

Facts & Stats

WW – Breaches More Widespread Than Reported

A new security survey has found that 57% of malware analysts said they have worked on enterprise-related data breaches that were not disclosed. The ThreatTrack Security survey interviewed 200 security professionals. For larger businesses, with more than 500 employees, the number jumps to 66%. The reason behind not disclosing breaches may stem from attempts to save brand reputation or avoid difficult questions from customers and investors. [ZDNet]

FOI

EU – Facebook Discloses Gov’t Data Requests

A recent hearing organized by the European Parliament’s civil liberties committee featured Richard Allan, director for public policy for Facebook in Europe, who discussed the number of demands for data by EU governments. Allan said Facebook received 8,500 requests from the EU on 10,000 user accounts during the first six months of 2013. By comparison, U.S. officials made 12,000 requests for data on as many as 21,000 user accounts. Meanwhile, CIO reports on the nuances of Facebook’s updated data use policy and statement of rights and responsibilities. And a new poll indicates four out of five people have changed the privacy settings on their social media accounts, most within the last six months. [New York Times Bits]

WW – Google Transparency Report

According to Google’s most recent transparency report, the US government made nearly 11,000 requests for user information from the company in the first six months of 2013. The Indian government made 2,700 requests of Google in that same period. The company makes note of the fact that the numbers represent only those requests that they are permitted by the US government to disclose. [CNET]

US – Apple’s Transparency Report Includes “Warrant Canary”

Apple has filed its first transparency report, enumerating government requests for data from devices, iTunes, and other content services. Along with the report, Apple has filed an amicus brief with the Foreign Intelligence Surveillance Court, seeking approval to release more detailed information. Apple received the vast majority of its data requests from the US government, but also received requests from the governments of the UK, Germany, Australia, Spain, Singapore, and France. Apple’s report also includes these sentences: “Apple has never received an order under Section 215 of the USA Patriot Act. We would expect to challenge such an order if served on us.” The statement is called a “warrant canary” because its absence from future reports would indicate that the company had received such an order. [CSMonitor] [ComputerWorld]

WW – Apple: “Our Business Does Not Depend On Collecting Personal Data”

Apple published a formal report on federal government data requests. In it, Apple says its business “does not depend on collecting personal data … We have no interest in amassing personal information about our customers. We protect personal conversations by providing end-to-end encryption over iMessage and FaceTime. We do not store location data, Maps searches or Siri requests in any identifiable form.” It adds that the U.S. government doesn’t allow it to disclose the number of national security orders “or whether content, such as e-mails, was disclosed” and that it opposes such a gag order. Earlier this week, the company lobbied for restrictions on government surveillance. [All Things Digital]

US – Is California Transparency Law Still Effective 10 Years Later?

The American Civil Liberties Union of Northern California (ACLU) has published a policy paper looking at the state’s Shine the Light law of 2003. The paper looks at whether the law, now 10 years old, is still effective in providing transparency about how businesses handle personal data. “From revelations of widespread NSA spying to high-profile data breaches, the need to know what is happening to our personal information is more important than ever,” the ACLU said. [ACLU] [Losing the Spotlight: A Study of California’s Shine the Light Law]

Genetics

WW – Microbe Research Raises Privacy Concerns

NPR reports on the American Gut Project , a “citizen science,” crowd sourced, microbiome initiative designed to help scientists learn more about the friendly and dangerous microbes living in and around the human body. Organizers of the project need reams of personal information—including swabbed samples and detailed logs of a subject’s daily diet—to help illuminate the research, but some bioethicists are expressing privacy concerns. One expert said, “If you have privacy concerns at all, you shouldn’t do it.” Though the information is confidential, there’s no guarantee that it will be protected and it’s possible that a volunteer’s DNA samples might inadvertently become public, the bioethicist noted. [Source]

Health / Medical

US – Hospitals Prepare to Digitize Records for Sharing

In Texas, a new program will digitize the medical records of every hospital in the San Antonio region. The data—about 600,000 records in total—will eventually be shared in real time with hospitals, doctors and patients themselves. Patients are permitted to opt out if they wish. Meanwhile, VMware has announced a new service aimed at helping with HIPAA security requirements by providing Business Associate Agreements. “The healthcare IT industry needs trusted, reliable and stable business associates that will help address the appropriate administrative, physical and technical safeguard requirements under HIPAA security rules,” said the chief information officer at Hackensack University Medical Center. [Texas Public Radio]

US – Breach Settlement First to Award Plaintiffs Who Aren’t ID Theft Victims

Health coverage company AvMed last week reached a $3 million data breach settlement that allows plaintiffs who didn’t suffer identity theft to claim funds. A report from Becker’s Hospital Review notes that it is the first breach case to extend payments to plaintiffs who were not victims of identity theft. “Settlements for data breach class actions have traditionally not extended payments to class members who have not experienced any fraud or identity theft. Here, though, that is exactly what the sides agreed to, whereby payments will be made to all class members who purchased insurance, even absent any fraud or identity theft,” states Reed Smith’s Global Regulatory Enforcement Law Blog.

Horror Stories

US – One Million Affected in Software Company Site’s Hack

Internet security firm Hold Security says it has discovered that a limousine software company has been hacked, resulting in credit card numbers and other details on close to one million customers being exposed. Jonathan Mayer, a cybersecurity fellow at Stanford University, said Corporatecaronline’s website was running outdated software that made it vulnerable, but “you don’t have to be a big target to be at risk online anymore. This is the new normal, and it underscores the need for improving the regulatory framework.” [Detroit Free Press]

EU – Loyaltybuild Data Breach Affects More Than One Million People

More than 1.5 million Europeans have had personal information compromised by a security breach at Loyaltybuild, a company that manages customer loyalty programs across Europe. International security firm Garda has launched an investigation into the incident, which saw nearly 400,000 individuals’ credit card details exposed. Irish Data Protection Commissioner Billy Hawkes said the financial data was not encrypted. Another 150,000 individuals’ details have been “potentially compromised,” and the breach looks to be the result of an external criminal act, Hawkes said. Meanwhile, in the U.S., hundreds have been affected by a data breach dating back to 2001 in Indiana. [Irish Times] [The Register] [Irish Examiner]

Internet / WWW

WW – At Hearing, Google Says NSA Could Cause “Splinternet”

During a Senate Judiciary Subcommittee hearing on the Surveillance Transparency Act of 2013, Google Director of Law Enforcement and Information Security Matters Richard Salgado expressed concerns that the Snowden disclosures, along with gag orders placed on the company by the U.S. Department of Justice, are hurting U.S. businesses around the world economically and may cause a fractured Internet. Global reaction to the NSA disclosures “could have severe unintended consequences such as a reduction in data security, increased cost, decreased competitiveness and harms to consumers,” he said. [The Privacy Advisor].

EU – Germany and Brazil Present Internet Privacy Resolution to UN

Following reports that U.S. intelligence eavesdropped on foreign leaders—including German Chancellor Angela Merkel and Brazilian President Dilma Rousseff—both nations formally presented a resolution to the United Nations urging countries to extend internationally guaranteed rights to privacy online. Such resolutions to the General Assembly are not legally binding. The U.S. was not specifically named in the resolution. [The Associated Press]

US – NIST Looking for Advisors for Privacy Panel

The National Institute of Standards and Technology (NIST) has announced it is looking for new members to its Information Security and Privacy Advisory Board (ISPAB). The board’s objective is to identify emerging issues affecting information security and privacy and advise NIST’s leadership, the secretary of commerce and the Office of Management and Budget on such trends. A NIST notice states , “Nominees should have specific experience related to information security or privacy issues, particularly as they pertain to federal information technology.” Microsoft Chief Privacy Officer Brendon Lynch wrote about why privacy professionals are needed in the NIST framework process. [Government Security News]

US – NIST Will Review Standard Development Process

The National Institute of Standards and Technology (NIST) plans to review its standards development process. The organization hopes to restore the credibility that took a hit several months ago when news stories broke that the NSA may have included a backdoor in a NIST-approved encryption algorithm. NIST will open its process for public review as well as review by an as-yet unnamed third-party organization. In a November 1 statement, NIST wrote, “Based on the public comments and independent review, we will update our process as necessary to make sure it meets our goals for openness and transparency, and leads to the most secure, trustworthy guidance practicable.” [Ars Technica]

Offshore

NZ – Parliament Considers Privacy Principles

The New Zealand Parliament is considering adopting a set of privacy principles that would help protect both MPs and journalists. Privacy Commissioner Marie Shroff, who recently reflected on the evolution of privacy in the past decade, told Parliament’s Privileges Committee “it might be useful for the Privacy Act principles to be used as some sort of a guide within the Parliamentary precinct when difficulties occur over the use of information.” With the Privacy Act and the Official Information Act already established, she suggested there is no need to “reinvent the wheel.” [Radio New Zealand]

NZ – Bill Could Put Cyber Bullies Behind Bars

A new bill being introduced in the New Zealand Parliament could see cyber bullies facing up to three years in prison. The Harmful Digital Communications Bill is backed by Justice Minister Judith Collins and would create a criminal offence for “sending messages or posting material online with intent to cause harm—including threatening and offensive messages, harassment, damaging rumours and invasive photographs,” punishable by up to three months in prison or a $2,000 fine, the report states. The bill would also establish an agency responsible for handling complaints. [The Sydney Morning Herald]

ID – Indonesia May Consolidate Privacy Law

“Indonesian data privacy protection is spread over several pieces of legislation such as the Human Rights Law, ITE Law, Code of Criminal Procedure and others,” but the government is discussing consolidating it into a single law, Lexology reports.

IN – Analysis of India’s Privacy Bill

Neeral Dubey of PSA Legal Counsellors examines The Privacy Protection Bill, 2013 for Mondaq, including the domain and protection of personal data and the punishment for offenses. “Though it has expanded the scope of sensitive personal data, it has not covered all the aspects, like, passwords or other personal details within its ambit,” Dubey writes, concluding, “Though this Bill seems to be a step in the right direction, what it can fetch is a question that remains to be answered. But that can be fathomed only once this sees the light of the day.”

Online Privacy

EU –Swiss Telecom Plans Cloud Service Hosted Entirely Within Switzerland

Swiss telecommunications company Swisscom plans to establish a “Swiss cloud” that will be hosted entirely within that country. The goal is to prevent the NSA and GCHQ from snooping on communications. (Swisscom is majority-owned by the country’s government.) Switzerland already has stringent data privacy laws in place, which is why companies that provide secure communications services use data centers there. Prosecutors must obtain court orders before conducting surveillance. [The Register] [v3.co.uk] [Ars Technica] [Reuters]

US – MIT Launches Big Data Privacy Working Group

The Massachusetts Institute of Technology (MIT) Big Data Initiative, under its Computer Science and Artificial Intelligence Lab (CSAIL), has announced it is launching a new Big Data and Privacy Working Group to bring together industry, government and academia to address and find solutions for problems arising out of the intersection of Big Data innovation and privacy. CSAIL Principle Research Scientist Daniel Weitzner said, “The goal of the group is to encourage long-term thinking on the role of technology in protecting and managing privacy, in particular when large and diverse data sets are collected and combined,” and added, “We have a wide variety of technical approaches to privacy protection but don’t have a good handle on how they might actually work at scale or whether we need to develop new technical tools.” [MIT News]

US – Schools Share $38 Million Big Data Grant

The University of Washington, New York University and the University of California-Berkeley are sharing a $38 million grant to spread Big Data analysis skills to various professional fields. “Our goal is to figure out how to rapidly evolve universities to support and utilize data-intensive discovery,” said Ed Lazowska, eScience Institute founder and computer science professor at the University of Washington. “We have been doing this on a small scale, but now we’ll be able to work the problem at a large scale and as a collaboration among three teams that include some of the strongest faculty at some of the nation’s strongest universities.” [The Seattle Times]

US – Plaintiffs: VPPA Case Should Proceed, Even With Lack of Financial Harm

Hulu users involved in a potential class-action lawsuit are urging a federal judge to allow the case to proceed. The Hulu users have asked U.S. District Court Judge Laurel Beeler to reject Hulu’s motion to be awarded summary judgment in the case, saying that the case should proceed even if they do not prove financial harm. The class members claim Hulu violated the Video Privacy Protection Act (VPPA) by allegedly sharing user data with Facebook and comScore, but Hulu claims that consumers were not financially harmed in the case. The consumers argued, “A violation of the VPPA simply does not require a threshold showing of pecuniary damages.” [MediaPost]

US – Colleges Increasingly Checking Applicants’ Social Media Accounts

According to Kaplan research, 31% of admissions officers visited an applicant’s Facebook page or other social media account last year in determining admissions, a 5% jump over last year. The research is indicative of the increasing role students’ digital footprints play in whether or not they gain admission to college in the U.S. “To me, it’s a huge problem,” said Bradley S. Shear, a social media-focused lawyer. “Often, false and misleading content online is taken as fact.” However, we might all agree that one Bowdoin College applicant’s decision to snarkily tweet mean-spirited comments about fellow applicants while on a tour of the school was ill advised. [New York Times]

WW – Facebook Asks Adobe Users to Change Passwords

Facebook is warning users who also use Adobe that if they are using the same e-mail and password combinations on both sites, they should change that. That’s after the recent breach at Adobe in which hackers stole nearly three million encrypted credit card records and users’ login credentials. “We actively look for situations where the accounts of people who use Facebook could be at risk—even if the threat is external to our service,” said a Facebook spokesman. “When we find these situations, we present messages like the one in the screenshot to help affected people secure their accounts.” [KrebsonSecurity]

WW – Closed-Circle Feature Added to Google+

Google has added a new feature to Google+ to ensure private conversations remain private. The feature allows businesses to decide if their restricted community will be open to everyone at the company or more limited, the report states. System administrators can decide whether restricted communities will be the default, but communities open to third parties such as business partners and clients can also be created. [Think Digit]

WW – Google to Limit Windows Chrome Extensions to Chrome Web Store

in January 2014, Users of Chrome on Windows will be permitted to install extensions only from The Chrome Web Store. Currently, users are asked if they want to install extensions when they originate outside of the Chrome store, but attackers have found methods to bypass that warning mechanism. [CNET]

WW – Chrome Canary Detects Suspicious Downloads

The Canary build of Google’s Chrome browser has been updated to include functionality that detects malware attempting to download. A warning will appear at the bottom of the browser window when Canary detects an attempted malware download. Chrome Canary build is the name given to the “bleeding edge” channel of the browser, before it reaches the channel. Most features that are added to Canary do eventually appear in Dev, and then on into Beta and Stable versions of the browser. [ComputerWorld] [The Register]

WW – Firefox Beta Moves Toward Click-to-Run Default for Plug-ins

The most recent beta version of Firefox moves closer to making “click-to-run” the default status for all plug-ins. The new feature will not automatically run plug-ins when pages are opened. Instead, users will see a box warning that the plug-ins the page requires may be vulnerable. Content will display only if users explicitly allow each plug-in. The only exception will be the most recent version of Flash. Other browsers have made exceptions for Flash as well. Google bundles Flash in its Chrome browser, making sure to push out updates when available, so that users are always running the most current version. [The Register]

WW – Microsoft Updates Policy Ahead of xBox One Launch

Ahead of the launch of the Xbox One, Microsoft has updated its privacy policy to clarify how data is collected and used within gaming functions. While Xbox One uses facial recognition to log in users, the data doesn’t leave the console and can be deleted at any time. However, users “should not expect any level of privacy” when it comes to live communication features like chat and video during live-hosted game sessions. Microsoft reserves the right to monitor those communications “to the extent permitted by law.” Users are permitted to disable targeted ads and tracking through an opt-out page. [Ars Technica] See also: [Will Kinect 2.0 and COPPA Play Well Together?]

Other Jurisdictions

BR – Brazil Calls for End to “Excessive Electronic Surveillance”

Following the country’s outrage over the U.S. National Security Agency’s (NSA) spying scandal and calls for new legislation, Brazil has put forth a resolution calling for an end to excessive electronic surveillance. Brazilian President Dilma Rousseff, who canceled a trip to Washington, DC, following reports that the NSA had intercepted data from her office, said the U.S. has broken international law. “Friendly governments and societies that seek to build a true strategic partnership, as in our case, cannot allow recurring illegal actions to take place as if they were normal,” Rousseff said. “They are unacceptable.” [BBC News]

KZ – Kazakhstan Privacy Law Coming Into Effect Soon

Kazakhstan’s data privacy law, On Personal Data and Their Protection, goes into effect on November 26, making it the second country in Central Asia to enact a privacy law, reports Hunton & Williams’ Privacy and Information Security Law blog. The new law will work with the existing sectoral regulations and, while no English translation is available, according to the report, analyses suggest it applies to both public and private sectors.

CN – China Amends Consumer Protection Law

The Standing Committee of the National People’s Congress of the People’s Republic of China passed an amendment to the P.R.C. Law on the Protection of Consumer Rights and Interests, reports Hunton & Williams’ Privacy and Information Security Law Blog. The amendments will take effect on March 15 and include increased penalties for violations of consumer rights, a new rule on punitive damages and a ban of unauthorized disclosures of consumer personal information, among others.

BR – Brazil to Consider Online Privacy Bill

Brazil will take up an online privacy protections bill that business groups fear will stymie the free flow of data. The bill, to be considered by Brazil’s Chamber of Deputies this week, would create restrictions on how Internet service providers use Brazilians’ personal data and would require companies to build local data centers in order to do business in Brazil. “Global data flows rely on data centers dispersed all over the world,” wrote a group of 47 industry reps from the U.S., Brazil, Europe and Japan to Brazil’s National Congress. “Thus, in-country data storage requirements would detrimentally impact all economic activity that depends on data flows.” A vote could take place Monday. [Politico]

Privacy (US)

US – Judge: Peer-to-Peer Data Isn’t Protected Under Fourth Amendment

A federal judge in Vermont has ruled there can be no expectation of privacy when it comes to data exposed online via a peer-to-peer file-sharing network. The case involved three men charged with a crime who claimed the police illegally gathered data from their computers using a peer-to-peer search tool and then obtained a search warrant based on that data. The defendants asked the judge to suppress the evidence based on a violation of their Fourth Amendment rights, but District Court Judge Christina Reiss denied the motion, stating the defendants made the data public when they posted it over a peer-to-peer network. Other courts have ruled similarly where peer-to-peer networks are involved. [Computerworld]

US – FTC Denies Company’s Consent Method

The FTC has denied AssertID’s application seeking approval of a parental consent method. The FTC said in a letter to the company that its proposal “failed to provide sufficient evidence that its method would meet the requirements” under the Children’s Online Privacy Protection Act. The company hoped to use a method called “social-graph verification,” but the FTC said in a 4-0 vote there hadn’t yet been sufficient research or testing to prove its efficacy. [FTC Press Release]

US – Internet Association Backs Airbnb in NY Privacy Conflict

The Internet Association—a group of web companies including Google, eBay, Facebook and Amazon—have filed papers in New York arguing that an attempt by the state’s attorney general to compel Airbnb to turn over its customers’ data will set a precedent that could harm online business. “The prospect of law enforcement authorities, regulators and other government personnel being able to obtain broad swaths of information about consumers under no articulated suspicion of wrongdoing would unduly discourage participation in these online services,” the filed paper states. [MediaPost]

US – Parents to Sue NY Education Dept.

A group of New York City parents is planning to file suit “to block the state Education Department from sharing their kids’ data—including test scores and discipline records—with private companies.” The suit, which is to be filed in New York Supreme Court, comes in response to “the controversial $100 million inBloom project being built by the company Amplify,” the report states, noting the parents allege the project “violates the state’s Personal Privacy Protection Law, forbidding state agencies from giving personal info to companies without consent, unless state law specifically requires the agencies to do so.” The suit follows concerns about inBloom raised in other states. [NYDailyNews.com]

US – Man Says Data Broker Is Liable in Harassment Case

A New York man has asked the U.S. Supreme Court to review whether data brokerage companies can be held strictly liable under federal law. The man claims “a data broker illegally sold information gleaned from DMV records to a stranger who later tracked down and harassed him.” A Second Circuit court ruled in July that data broker Softech International could not be held strictly liable under the Driver’s Privacy Protection Act. [Law360]

Privacy Enhancing Technologies (PETs)

WW – Two Tracking Techs Emerge from Hackathon

Last week, online privacy service Ghostery hosted a hackathon to create new user-friendly technologies to enhance online privacy. One team created a browser plug-in to reveal the companies that are tracking users by placing photos of the companies’ top executives on screen. A second top vote-getter focused on measuring the amount of time trackers add to page loading time. The latter system works in tandem with Ghostery and allows users to opt out of tracking. For the next month, users in the Ghostery community have the option to vote for the best service, which will then present its technology at South by Southwest next year. [AdAge]

US – NIST to Update Smart Grid Guidance

The National Institute of Standards and Technology (NIST) is revising its smart grid guidance to address vulnerabilities and privacy issues that have become more of a concern over the past few years. While the U.S. power grid is years away from being a true smart grid, NIST says in the draft of the guidance, “Approaches to secure these technologies and to protect privacy must be designed and implemented early in the transition to the smart grid.” Rebecca Herold, who leads NIST’s Smart Grid Cybersecurity Committee’s privacy subgroup, said the new draft will “allow all players in the smart grid to proactively address privacy issues as they create the wide variety of services and components involved, instead of waiting until after the fact, and after privacy incidents, to try to tack privacy on as an after-thought, which is never nearly as effective—as history has taught us.” [BankInfoSecurity]

Security

WW – SMB Cybersecurity Survey Suggests Many Unaware of Being Attacked

A survey from McAfee and Office Depot of more than 1,000 small and medium-sized businesses (SMBs) found that two thirds were confident of the security of their data and devices. More than three-quarters of the companies said they had not been the victims of cyber attacks. There is a significant discrepancy between those numbers and research, which shows that SMBs are often targeted by cybercriminals. 72% of breaches investigated by Verizon’s forensic analysis unit in the company’s most recent Data Breach Investigations Report were of companies with fewer than 100 employees. It is likely that many SMBs are simply not aware that they have been attacked. [InfoSecurity]

US – Survey Suggests Majority of Breaches in US Undisclosed

According to a survey, more than half of all data breaches experienced by companies in the US remain undisclosed. The study surveyed 200 security professionals who conduct malware analysis; 57% said they had investigated or helped manage fallout from a data breach that was not disclosed by the targeted company. [ZDNet] [CSO Online]

Surveillance

US – CIA Allegedly Engaged in Bulk Collection

A Central Intelligence Agency (CIA) program collects bulk records of international money transfers, including transfers inside and out of the U.S. from companies such as Western Union. Unidentified officials said the program operates under provisions within the USA PATRIOT Act and is overseen by the Foreign Intelligence Surveillance Court—similar to the National Security Agency’s phone records metadata program. One official said, “The CIA protects the nation and upholds the privacy rights of Americans by ensuring that its intelligence-collection activities are focused on acquiring foreign intelligence and counterintelligence in accordance with U.S. laws.” Meanwhile, Ars Technica reports on a new social media monitoring service unveiled by LexisNexis to aid local law enforcement in mining social media posts for intelligence. [The New York Times]

UK – GCHQ Spoofed LinkedIn & Slashdot to Access Telecoms’ Internal Networks

According to leaked documents, the UK’s GCHQ spoofed LinkedIn and Slashdot pages to install malware on the computers of certain engineers working for global roaming exchange providers in Europe. Once the malware was on the computers, intelligence agents were able to gain access to internal networks of Belgian telecommunications company Belgacom and its subsidiaries. The method used to infect the computers is known as “Quantum Insert” and was developed by the NSA.[Der Spiegel] [WIRED] [ComputerWorld] [Ars Technica]

WW – As NSA Fallout Continues, Investigations Launched

Dutch and Belgian data protection authorities are leading an investigation “into whether consumers’ personal data on the global Swift money-transfer network can be accessed by the U.S. National Security Agency (NSA) or other intelligence services.” “We will investigate if the security of the networks and databases of Swift containing huge quantities of personal data related to bank transactions, of among others, European citizens, allow for or have allowed for unlawful access,” said Dutch DPA and Article 29 Working Party Chairman Jacob Kohnstamm. In the U.S., advocacy groups including the Electronic Privacy Information Center, Privacy Rights Clearinghouse and Center for Digital Democracy sent a letter to the U.S. Federal Trade Commission calling for an investigation into Internet companies whose networks were accessed by the NSA. “It is inconceivable that when faced with the most significant breach of consumer data in U.S. history, the commission could ignore the consequences for consumer privacy,” the letter states. Meanwhile, a GigaOM report suggests the legacy of Edward Snowden’s revelations about NSA surveillance could be “much if not most of the open web will be encrypted by default.” [Bloomberg]

WW – Google Engineers Angry Over NSA and GCHQ Snooping

Google has begun encrypting traffic between its data centers after leaked documents indicated that the NSA and GCHQ had been targeting the fiber-optic networks that transmit data between Google data centers in a data harvesting operation dubbed MUSCULAR. (For the record, the operation also snooped on traffic between Yahoo data centers.) The traffic was not encrypted before because it was considered internal to the company. Google executive chairman Schmidt was vocal about his feelings regarding the situation, calling the operation “outrageous” and “perhaps illegal.” Google engineers have also vociferously expressed their anger about the situation. [Ars Technica] [ZDNet] [The Register]

WW – Tech Companies Want Restrictions on Gov’t Surveillance

Following news that the National Security Agency (NSA) was tapping into Yahoo and Google data centers, a coalition of tech companies is calling on Congress for restrictions on government surveillance. Google, Yahoo, Microsoft, Facebook, Apple and AOL have asked for “substantial enhancements to privacy protections and appropriate oversight and accountability mechanisms.” Meanwhile, a U.S. senator and privacy advocates are raising concerns that a bill introduced last week to amend the Foreign Intelligence Surveillance Act would give the NSA permission to collect massive amounts of not only Americans’ phone records, but e-mails as well. [MediaPost]

US – House Committee Wants Answers from VA About Cybersecurity Practices

The US Department of Veterans Affairs (VA) is coming under scrutiny from a congressional committee after offering inconsistent explanations for several data breaches since 2010. The state-sponsored cyberattacks have compromised personal information of more than 20 million veterans and their family members. In the past three weeks, the House Veterans Affairs Committee has made six formal inquiries to the VA’s Office of Information and Technology regarding the agency’s IT security practices and compliance with federally mandated standards. The agency has a backlog of unanswered inquiries dating back to June 2012. The most recent round of inquiries arose after it became clear that VA networks were compromised multiple times since March 2010, but officials have been unable to determine what data were compromised. [FCW]

US – Franken and Heller Reintroduce Bill on Surveillance Transparency

Sens. Al Franken (D-MN) and Dean Heller (R-NV) have reintroduced the Surveillance Transparency Act of 2013. A hearing on the bill, which aims to increase transparency when it comes to government surveillance, will be held November 13. “The American public is naturally suspicious of executive power, and when things are done secretly, they tend to think that power is being abused,” said Franken. The bill follows a letter written by 60 Internet companies and advocacy groups pushing the president and congressional leaders for transparency when it comes to government surveillance. Meanwhile, a law enforcement official recently said scrutiny over government surveillance threatens police use of technology to solve crimes. [Broadcasting & Cable]

US – NSA Reform Bill Expected; Feinstein Backs “Total Review”

House and Senate lawmakers plan Tuesday on introducing legislation to limit the NSA’s surveillance powers. The USA FREEDOM Act, written by Sens. Patrick Leahy (D-VT) and James Sensenbrenner, Jr., (R-WI), would end the NSA’s bulk collection of phone records, increase curbs to monitoring Americans, require quicker data deletion in cases of accidental collection and create a special FISA court advocate. Sen. Diane Feinstein (D-CA), who has consistently been a staunch defender of the NSA’s programs, has called for a “total review” of all intelligence collection programs after news that the U.S. allegedly spied on national leaders of allied nations—most notably German Chancellor Angela Merkel. The White House has also said there needs to be additional “constraints” on U.S. intelligence gathering to “better balance our security needs and the security needs of our allies against the real privacy concerns that we all share.” The House Intelligence Committee will hold a rare open hearing today, which will include the NSA director and other top intelligence officials. [The Hill]

US – Surveillance Constitutionality May Be Tested in Court

U.S. federal prosecutors “intend to use information gathered through the government’s warrantless surveillance program in a criminal trial, setting up a possible court test of the constitutionality of such eavesdropping.” In a notice released late Friday, the Justice Department announced it will use “information obtained or derived from acquisition of foreign intelligence information conducted pursuant to the Foreign Intelligence Surveillance Act” in a case against an alleged terrorist. A deputy legal director with the American Civil Liberties Union has described the filing as a “big deal” that “will undoubtedly set up a constitutional challenge,” the report states. [CNET]

Telecom / TV

US – IBM to Acquire Fiberlink Communications

IBM has announced its agreement to acquire mobile management and security company Fiberlink Communications. “In a mobile-first world, clients require a comprehensive mobile management and security offering. Oftentimes they integrate solutions on their own and take on unnecessary risk,” said IBM’s Robert LeBlanc. “To protect and enhance the complete mobile experience, it’s crucial to secure the app, user, content, data and the transaction. The acquisition of Fiberlink will enable us to offer these expanded capabilities to our clients, making it simple and quick to unlock the full potential of mobility.” [IBM]

US Government Programs

US – U.S. Willing to Consider Reforms

Chairman of the Privacy and Civil Liberties Oversight Board (PCLOB) David Medine said the government is open to changes about how it conducts phone and Internet surveillance programs as long as they don’t undermine the programs’ effectiveness. PCLOB is now examining how to balance thwarting terrorist plots with protecting Americans’ privacy. It will present a report to President Barack Obama on suggested reforms to surveillance programs. In an opinion piece for The Atlantic, Conor Friedersdorf says defenders of digital surveillance programs should apply the logic to the analogue world, where “everyone recognizes the absurdity of effectively outlawing privacy.” [Chicago Tribune]

US – Gov’t Considers Removing NSA from Military Command

The Obama administration is considering removing the U.S. National Security Agency (NSA) from military command and appointing a civilian to lead it. Gen. Keith Alexander is retiring in 2014, and a list of his potential replacements is being compiled. Meanwhile, plans for a European Internet—a direct response to the NSA revelations this summer—is being discussed by German company Deutsche Telekom. The company aims to keep German citizens’ data safe from foreign governments. And Privacy International has announced a new project that seeks to promote data protection within humanitarian efforts. [The Guardian]

US – White House May Consider Civilian to Head NSA

When NSA chief General Keith Alexander steps down from his post next year, the White House may nominate a civilian candidate to fill the position. The NSA has drawn its leaders from within the military since the agency’s inception in 1952. Alexander currently also heads the US Cyber Command, so a civilian NSA director would be considered only if the White House decides to split the two positions after Alexander steps down. A civilian nominee would likely have to face Senate confirmation hearings. A qualified civilian candidate may be difficult to find, as the job requires a depth of technical knowledge and “familiarity with intelligence gathering.” Jim Lewis, senior fellow at the Center for Strategic and International Studies, notes that a civilian NSA director may encounter difficulty providing intelligence for military operations. [The Hill]

US – NSA and Cyber Command Leadership Likely to be Separate

It appears likely that the next person to serve as NSA chief will not have authority over US Cyber Command, as does current NSA chief General Keith Alexander. Both military officials and legislators are leaning toward dividing the positions to prevent abuse of power and to help restore public trust in the NSA. Alexander, who was appointed head of the NSA in 2005 and acquired the leadership role at Cyber Command in 2010, plans to step down from those positions next year. He believes the two roles should be connected because agencies could end up squabbling over resources and decisions. [The Hill] [CNET]

US – States Take Action Where Federal Gov’t Hasn’t

State legislatures around the country have rushed to propose a new series of privacy laws. More than two dozen privacy laws have been passed this year in more than 10 states, incited by increasing privacy concerns about personal data and a lack of action by the federal government. State Rep. Jonathan Stickland said, “Congress is obviously not interested in updating those things or protecting privacy. If they’re not going to do it, states have to do it.” State AGs concurred recently at the IAIPP Privacy Academy. The flurry of laws can be burdensome for tech companies trying to comply; however, federal law prevents states from interfering with interstate commerce, the report states. [The New York Times]

US – DHS Submits Annual Report on Privacy to Congress

In her first public communication, new U.S. Department of Homeland Security CPO Karen Neuman posted on the DHS blog that she has officially submitted the DHS Privacy Office’s 2013 Annual Report to Congress . “As the Privacy Office enters our tenth year,” she writes, “we will continue to ensure that DHS stays committed to protecting the privacy of all individuals, and providing the greatest level of transparency and accountability possible.” The report, which stretches to 86 pages, opens with a message from Deputy CPO Jonathan Cantor, who acted as CPO for much of the time the report covers, and outlines how the department accomplished goals related to its privacy and disclosure policy, advocacy, compliance, oversight and workforce excellence. [DHS]

US – Inspector General: DHS Lacks Resources to Handle Online Threats

The Department of Homeland Security’s (DHS) inspector general says DHS has struggled to respond to cybersecurity threats because of “lingering technical, funding and staffing woes.” In an October 24 report, the inspector general said DHS lacks the tools and training needed to track hackers who are after U.S. banks and other businesses and needs more resources in order to be able to communicate threats to its cybersecurity workforce in real time. There is a system to distribute event reports and another for distributing response information, but the two are not connected. The IG’s report makes seven recommendations, including acquiring or developing tools and technologies that can link situational awareness products to cyber incidents. While President Barack Obama has nominated someone for the post, DHS currently lacks a leader. [Politico] [NextGov] [OIG.dhs.gov]

US – Report Finds NSA, GCHQ Mass Surveillance Violated EU Law

A new study reveals that dragnet Internet surveillance by the U.S. National Security Agency (NSA) and the UK’s GCHQ violated European privacy law. The study’s authors, Sergio Carrera of the Centre for European Policy and Francesco Ragazi of Leiden University, have urged the European Parliament to “break the wall of silence,” the report states. Meanwhile, a report in Foreign Policy contends that, in the debate about the NSA’s surveillance programs, “privacy is a red herring.” [ComputerWeekly]

US Legislation

US – Lawmakers Reintroduce Kids’ Tracking Act

Sen. Ed Markey (D-MA) and Rep. Joe Barton (R-TX) have announced plans to reintroduce the Do Not Track Kids Act, which aims to prohibit targeted advertising to kids younger than 16 and create an “eraser button.” The lawmakers point to a recent study from Commonsense Media showing an increase in the number of children accessing media through mobile devices as an indicator of need for the act. The bipartisan legislation, which has won the support of advocacy group Consumer Watchdog, “would prohibit web giants … from collecting personal information, including location data, on children ages 15 and younger” without permission, the report states, describing teenagers as “a group that is leaving extensive digital dossiers” through the use of social media. “The Do Not Track Kids legislation would update COPPA for this new Internet ecosystem, establish new protections for the personal information of children and teens and ensure that parents have the tools they need to protect their children’s privacy,” they said. COPPA was recently updated to prevent the tracking of kids under 13 years of age. [The Hill] [The Washington Post]

US – Judge Rules Wyndham Must Exchange Evidence with FTC, Case Proceeds

A judge has ruled that Wyndham Worldwide Corp. must exchange pretrial evidence with the U.S. Federal Trade Commission in its complaint against the company that alleges breaches at Wyndham and its three subsidiaries comprised more than 619,000 credit card accounts, Bloomberg reports. The company wanted the case dismissed, claiming the FTC doesn’t have the authority to regulate data security. A Covington & Burling InsidePrivacy post noted, “Even if the FTC wins the motion to dismiss, if the court issues a written decision, it is possible that the decision could speak to limits on the FTC’s authority. Companies that are subject to the FTC’s jurisdiction will want to follow this closely.” [Full Story]

US – Is Cali’s “Eraser” Bill the Wrong Approach?

Recently passed legislation in California essentially creates an “eraser” option for children and teens. Yet, privacy advocates are asking why only children would have such an option since, often, younger Internet users are more savvy with their privacy in the first place, whereas older users may not be as sophisticated. Center of Democracy and Technology Director of Consumer Protection Justin Brookman said, “It’s directed towards teenagers, which in itself is kind of vague … If you’re going to have privacy rules, you might as well protect everyone.” IAPP Westin fellow Kelsey Finch recently analyzed this bill along with several others in California. [Al Jazeera]

US – FAA Releases Roadmap for UAS Integration

The Federal Aviation Administration has released an official roadmap for the future integration of unmanned aircraft systems (UAS), also known as drones. U.S. Transportation Secretary Anthony Foxx said, “This roadmap is an important step forward that will help stakeholders understand the operational goals and safety issues we need to consider when planning for the future of our airspace.” The five-year plan unveils three phases, including “accommodation” of existing UAS, “integration of future UAS” and “evolution” to create an adaptable framework for the technology. The roadmap also implies, the report states, that unmanned aircraft will be treated like manned aircraft. The FAA has designated six tests sites, which will help “inform the dialogue” with privacy and civil liberties concerns. [WIRED] See also: [Calo: FAA Plan “Sensible”; Not All Agree]

US – Markey Introduces Drone Bill

Sen. Ed Markey (D-MA) has filed a bill that would require the Federal Aviation Administration (FAA) “to insert privacy protections in its examination into the possibility of allowing drones to be flown in commercial airspace.” Markey explained his Drone Aircraft Privacy and Transparency Act would require the FAA to ensure warrants are in place before using drones for surveillance. “Before countless commercial drones begin to fly overhead, we must ground their operation in strong rules to protect privacy and promote transparency,” he said. [The Hill]

US – SCOTUS Lets Facebook Settlement Stand

The U.S. Supreme Court has let stand a $9.5 million settlement after a Facebook user challenged the agreement objecting to the fact that none of the money will go to the users whose privacy rights were violated. The settlement will go to a foundation to promote online privacy and security, after paying out lawyers’ fees, and stems from Facebook’s use of the Beacon advertising program, which it shut down in 2009 after complaints. While the court didn’t issue a published dissent, Chief Justice John Roberts said it may need a different case in order to reach the “fundamental concerns surrounding the use of such remedies in class-action litigation.” [Bloomberg]

US – Privacy Group Can Finally Start Work as Facebook Beacon Suit Ends

After three and a half years of legal wrangling, the U.S. Supreme Court let stand a $9.5 million settlement between Facebook and class-action plaintiffs, bringing an end to the case triggered by the Beacon advertising program. It is the just the beginning, however, for the Digital Trust Foundation. Created by the settlement and led by Berkeley Center for Law and Technology head Chris Hoofnagle, the DTF will now begin developing grant-making guidelines for organizations seeking a portion of the $6 million in funds allocated for the study of online privacy. [Ad Age]

US – Federal and State Regulators on How to Get “Off the Hook

The FTC has been a busy agency. It has now brought 47 data security cases against businesses to date, and according to FTC Consumer Protection Bureau Deputy Director Daniel Kaufman, there are more in the pipeline. Together with New Jersey Supervising Deputy Attorney General Kenneth Ray Sharpe, CIPP/US, Kaufman addressed a room full of privacy pros yesterday at the IAPP Practical Privacy Series in New York City on how to avoid the wrath of regulators. [The Privacy Advisor. Full Story]

US – What Privacy Pros Need to Know About the NIST Cybersecurity Framework

As the U.S. National Institute of Standards and Technology moves into the home stretch of creating the Cybersecurity Framework called for by President Barack Obama back in February, we’re now getting a clearer picture of how privacy will be affected by the resulting document. Considering it may end up being part of regulatory structure, it’s incumbent upon privacy professionals, writes Hogan Lovells Partner Harriet Pearson, CIPP/US, that they understand how the framework ties together cybersecurity and privacy. As the date of the last framework workshop approaches, Pearson hits upon the most important points of the draft Privacy Methodology contained in the Cybersecurity Framework in this exclusive post for Privacy Tracker. [Full Story]

US – California’s Tidal Wave of Legislation: A Roundup

For more than a decade, California has stood at the forefront of the privacy legislation wave. Two 2003 California statutes have stood out and, in fact, revolutionized the field: the California Online Privacy Protection Act (CalOPPA), which was the first state law to require websites to post a privacy policy, and the law commonly known as “SB 1386,” the first security breach notification statute. In this exclusive for The Privacy Advisor examines five new laws as well as legislation that is currently pending in California. [Full Story]

US – U.S. Urges EU to Preserve Safe Harbour

Across the globe, fallout from reports of U.S. National Security Agency (NSA) and other governmental surveillance programs continues. Politico reports on U.S. regulators urging their counterparts in the EU not to abandon the Safe Harbor Framework amidst “mounting European anger over NSA spying.” Separately “The CIA is paying AT&T more than $10 million a year to assist with overseas counterterrorism investigations by exploiting the company’s vast database of phone records, which includes Americans’ international calls,” according to a report in The New York Times. NSA General Counsel Rajesh De has attempted to explain the agency’s telephone metadata collection program by saying, “It’s effectively the same standard as stop-and-frisk”—using “reasonable and articulable suspicion” to identify phone numbers to target. Meanwhile, Google has begun encrypting its internal network in an effort to halt broad surveillance, and Kaspersky has said it is designing products “to detect all malware”—even that sponsored by the NSA. In response to allegations of U.S. agencies spying on EU officials, Spiegel examines what the White House might have known and how the NSA sets its priorities, and Indonesia has backed a UN statement indicating “anger at U.S.-led data snooping,” while Australian websites faced cyber attacks “in protest at Canberra’s reported involvement in the surveillance network.” [Full Story]

Workplace Privacy

US – Employee Monitoring: What’s Allowed and What’s Not?

Employers walk the line between protecting company resources and ensuring productivity and becoming big brother to their staff. Technology is available to monitor everything from computer use to hallways, but just because it’s out there, doesn’t mean it’s okay to use it. This IAPP Resource Center Close-Up aims to help you balance organizational security with employee privacy laws across the globe. You’ll find tools, articles and guidance on conducting background checks, accessing employee data and BYOD, plus learn about differing laws from region to region. [Close-Up: Workplace Privacy]

US – Case Over Workplace Audio Recordings Offers Insight

The proliferation of recording devices in our society offers employees the opportunity to easily record conversations in the workplace, which has brought up interesting legal questions in the 37 states where anti-wiretap laws don’t prohibit recording a person without their knowledge. Philip Gordon writes in Littler Mendelson’s Workplace Privacy Counsel about a recent case in which an administrative law judge (ALJ) rejected the National Labor Relations Board’s (NLRB) stance that workers “have a legally protected right to record their coworkers and managers.” In the case, the ALJ found that the company’s ban on workplace audio recording was lawful, and while the decision is not binding on the NLRB, the decision will likely be appealed to the board and offers important guidance for employers. [Full Story]

+++

17-31 October 2013

Canada

CA – Comparing Manitoba’s Privacy Law With Alberta’s

Mondaq analyzes the recently passed provincial privacy legislation in Manitoba, the Personal Information Protection and Identity Theft Prevention Act (PIPITPA), and how the legislation compares with Alberta’s Personal Information Privacy Act. Specific areas of comparison include breach notification, private right of action for breaches, security requirements and service transfers outside of Canada. “Organizations who already have processes in place to comply with Canada’s existing privacy laws will largely find that PIPITPA does not create new compliance obligations for them,” the report states. [Full Story]

Consumer

WW – Website, Researcher Rate Sites on Practices

A fledgling site is using crowdsourcing to rate the privacy policies of hundreds of websites. Called “Terms of Service; Didn’t Read,” the site’s tagline states, “‘I have read and agree to the terms’ is the biggest lie on the web.” Sites with the best practices are assigned to “Class A,” while the worst are put in “Class E.” Individual aspects of policies are given a “thumbs up” or a “thumbs down.” Meanwhile, researcher Rebecca MacKinnon’s “Ranking Digital Rights” project—which ranks companies on how well they respect users’ privacy rights—was thrust into overdrive since the NSA revelations. [Forbes]

US – Study: Consumers Enjoy Personalized Experience

A recent study indicates consumers want to be understood by the businesses with which they interact. In the SAS Institute survey, 71% of respondents said they are in fact concerned about recent news on government surveillance, but 60% said they expect businesses to know their preferences and understand their needs, the report states. In a post for The Wall Street Journal, University of Miami Associate Prof. Robert Plant discusses how consumers can make money off of their own data. Meanwhile, IBM’s Jeff Jonas writes that if a company is going to profit from consumer data, it must at least be transparent about it. [eWeek]

Electronic Records

WW – Researchers Push for More Patient Data Sharing

Two papers published in the New England Journal of Medicine back an international push to get drug companies to share patient-level data from clinical trials. Pharmaceutical industry reformers have been calling on drug companies to release patient data in order to ensure the safety and effectiveness of new drugs. Blowback from the release of certain pharmaceuticals, including Vioxx and Avandia, has revealed the dangers of concealed clinical drug trials, the report states. A group of academics advocating for such transparency said, “The question is not whether, but how these data should be broadly shared.” A Europe-based group of researchers said, “A managed-release environment that allows sharing of patient-level data while ensuring patient privacy would create a level playing field for all stakeholders.” [Milwaukee-Wisconsin Journal Sentinel]

US – Health Privacy Startup May Have Privacy Problem

Medical records startup Practice Fusion—which recently received $134 million in venture capital—and its potential privacy problem. The company offers free patient management services. It also has 75 million records of patients’ health conditions and prescriptions. The data is allegedly de-identified and then becomes available for analysts, pharma companies and market research. It launched a doctor review site in April filled with 30,000 doctor profiles and more than 2 million patient reviews. In some cases, neither the doctors nor patients knew the reviews would be available publicly. Meanwhile, Sen. Edward Markey (D-MA) has called on Walgreens to answer the privacy impact of its new “Well experience” pharmacy model. [Forbes]

US – Working the Kinks Out of the US’s Health Insurance Online Marketplace

President Barack Obama is launching a “tech surge” to address glitches in HealthCare.gov, the web online marketplace designed to help people find health insurance under the Affordable Care Act. Improvements that have been implemented since the site’s launch include increasing server capacity to deal with high levels of traffic and allowing people to preview plans without having to fill out a form. [NextGov] [ArsTechnica] [LA Times]

Encryption

US – Ruling Threatens Internet Privacy, Brief Says

The Electronic Frontier Foundation (EFF) filed a brief arguing that a court order requiring secure e-mail provider Lavabit to hand over its master encryption key undermines the security and privacy of the Internet. Filed in the U.S. Court of Appeals of the Fourth Circuit, the brief contends the order would have allowed the U.S. government to access the personal information of all of Lavabit’s 400,000 users. “This is like trying to hit a nail with a wrecking ball,” the EFF brief stated. Meanwhile, LinkedIn’s Intro service is raising privacy and security concerns. [IDG News Service]

WW – Anonymous VPN Service Shuts Down, Cites Gov’t Intrusion

CryptoSeal Privacy, a service providing anonymous virtual private networks, has shut down the consumer service portion of its business rather than risk U.S. government intervention. The move follows a similar business decision by former e-mail service provider Lavabit. A legal filing in Lavabit’s case has been seen as troubling for Cryptoseal, the report states. CryptoSeal wrote, “Our system does not support recording any of the information commonly requested in a pen register order, and it would be technically infeasible for us to add this in a prompt manner … The consequence, being forced to turn over cryptographic keys to our entire system on the strength of a pen register order, is unreasonable in our opinion and likely unconstitutional. But until this matter is settled, we are unable to proceed with our service.” [Ars Technica]

WW — E-mail Encryptors Form Dark Mail Alliance

Online encryption organizations Silent Circle and Lavabit have announced the formation of the Dark Mail Alliance, an open-sourced tool with end-to-end encryption. The group aims to improve e-mail privacy by preventing e-mails from being shared with third parties, scanned for ads or easily hacked. Both businesses earlier this year shut down their respective encrypted e-mail services rather than share users’ data with the U.S. government. Silent Circle CEO Mike Janke said, “We’re the rebels who have decided privacy is too important to compromise on,” adding, “We believe e-mail is fundamentally broken in its current architecture … This is an opportunity to create a new e-mail service where the keys are created on the device and only the user can decrypt it.” [Forbes]

WW – Windows 8.1 Comes with Automatic Disk Encryption

Microsoft Windows 8.1 ships with automatic device encryption enabled by default, but the feature’s hardware requirements mean that it works only on newer systems. [ArsTechnica] [ArsTechnica] [CNN]

US – US Government Sites Using Expired SSL Certificates

More than 200 US government websites appear to be using expired SSL certificates, putting site visitors at risk of having personal information stolen through man-in-the-middle attacks. Some of the expired certificates may be due, in part, to the government shutdown. According to a study from the University of California, users are likely to click through messages warning of expired certificates. [IT News] [NextGov] [Study of Browser Security Warning Effectiveness]

EU Developments

EU – LIBE Adopts Compromise Amendments; Sends Draft To Council

The Committee on Civil Liberties, Justice and Home Affairs voted Monday for a major overhaul of current EU data protection rules. The committee adopted “en bloc” a package of compromise amendments assembled by Green MEP Jan Philipp Albrecht, rapporteur for the proposed regulation, which represented only a fraction of the 3,000 amendments initially proposed to the committee earlier this year. Meanwhile, French newspaper Le Monde has reported on NSA internal memos detailing “the wholesale use of cookies by the NSA to spy on French diplomatic interests at the UN and in Washington.” [Privacy Advisor] See also: [Has the LIBE Committee Torpedoed the Safe Harbor?]

EU – Regulation Implementation May Come Sooner Than 2015 After All

The European Commission is prepared to ignore attempts to delay implementation of the proposed data protection regulation. Instead, the commission plans to push toward implementing the regulation by spring of 2014, despite conclusions adopted at the summit last week suggesting the regulation be introduced by 2015. Financial Times reports the vote’s delay until at least next year, should that come to pass, is an “important victory” for U.S. tech giants who will need the time to bolster their case for a watered-down version of the reforms while the heated climate surrounding U.S. surveillance revelations cools down. [EurActiv]

EU – Two Years Later, LIBE to Vote on Reg

The Guardian reports that after two years of gridlock, the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) has scheduled votes on the reports on the revised data protection regulation and directive for Monday in Strausburg. An announcement on the European Parliament’s website says, “The committee will adopt a mandate for negotiations with the council in order to try and reach a common agreement on the Data Protection package before the European elections in May 2014.” [Full Story]

UK – Gov’t to Consult on Jail Time for Breaches

The UK government is considering introducing the possibility of jail sentences for breaches of the Data Protection Act (DPA), Out-Law.com reports. Justice Secretary Chris Grayling has written to Home Affairs Committee Chairman Keith Vaz indicating “the public would be asked whether there should be new custodial penalties for breaches of Section 55,” the report states. While the current penalties are fines of different amounts, depending upon the court where the case is heard, Grayling “has the power to introduce new regulations that would allow a custodial sentence penalty to be available for the offences under Section 55 of the DPA,” the report states. [Full Story]

EU – ECJ: Protection Against Passport Fraud Outweighs Privacy

The European Court of Justice (ECJ) has ruled “that although the taking and storing of fingerprints for passports breached privacy and personal data rights, it did not breach the EU’s Charter of Fundamental Rights and was in line with EU law,” EUObserver reports. While the charter includes an explicit right to the protection of personal data, the ECJ determined the privacy infringement is justified to reduce fraudulent use of passports. “The contested measures pursue, in particular, the general interest objective of preventing illegal entry into the EU. To that end, they are intended to prevent the falsification of passports and the fraudulent use thereof,” the court has said. [Full Story]

UK – ICO: We Do Not Discriminate

Computing reports on the insistence of the Information Commissioner’s Office (ICO) that “it does not discriminate between private- and public-sector firms when deciding on data breach fines” and its assertion “nobody has been ‘let off’ fines” since the ICO received the power to levy fines up to 500,000 GBP three years ago. “I think there’s certainly no discrepancy on our part, favouritism or thoughts like that in any way,” said the ICO’s Simon Rice. Meanwhile, the ICO has announced it has prosecuted a pay day loan company and its director for “failing to register that the business was processing personal information.” The ICO is also warning organisations, in light of a Royal Veterinary College breach, to ensure their policies “reflect how the modern workforce are using personal devices for work.” [Full Story]

EU – ECHR Anonymous Posting Decision Sparks Concern

The European Court of Human Rights (ECHR) has ruled an Estonian court was correct when it fined Delfi in a case involving anonymous postings on the news website, Wired reports. Joe McNamee, executive director for European Digital Rights, said, “This baffling logic now appears to render it effectively impossible for an online publication to allow comments without positive identification of the end users … So much for the human right to privacy in the Convention. This will directly undermine individuals’ rights to free speech and indirectly undermine their right to privacy.” Lawyers in the UK, however, suggest if the original case had been held there, “the outcome would have been very different,” the report states. [Full Story]

EU – France Backs Fines for Sharing with U.S. Gov’t

France is backing EU proposals to fine companies sharing information with American intelligence services up to five percent of global revenue. The UK is prepared to clash with France on the fines—estimated to potentially cost UK businesses £360 million per year. France has also tabled a proposal for an international data transfer levy, the report states. “Core European values, namely the respect of fundamental rights, including the right to privacy and security, also matter just as much online as offline. Recent disclosures concerning surveillance activities have cast a shadow in EU citizens trust,” said European Commission President José Manuel Barroso. [The Telegraph]

Filtering

UK – UK ISPs Ordered to Block More Sites in Bid to Quell Piracy

A UK court has ordered Internet service providers (ISPs) there to block 21 additional websites suspected of encouraging illegal music filesharing. The blocks must be in place by Wednesday, October 30. Earlier orders have called on UK ISPs to block eight other sites, including The Pirate Bay. [BBC]

Finance

EU – Parliament To Vote on Suspending SWIFT

On the heels of the Committee on Civil Liberties, Justice and Home Affairs vote for a major overhaul of current EU data protection rules, the European Parliament will now decide whether the EU-U.S. agreement on data transfers under the SWIFT payment network should be suspended. Under SWIFT, the EU provides the U.S. with EU residents’ payment data in order to thwart terrorism. But U.S. NSA revelations have raised concerns about the program. The outcome of a vote today will be nonbinding. [EU Parliament]

US – Are Banks Regularly Violating the GLBA?

Forbes reports on the selling of personal information by the financial industry and new research by Carnegie Mellon University Prof. Lorrie Faith Cranor. She, along with her students, analyzed 3,422 financial institutions to better understand their data-sharing practices and to see whether they comply with the Gramm-Leach-Bliley Act (GLBA). Her research found that practices varied widely—including 27 organizations that violated GLBA regulations altogether, the report states. “There is really no way for a consumer to find the good banks,” Cranor said, “because you would never think to check all the privacy policies.” JP Morgan Chase Director of Public Affairs Steve O’Halloran said, “We post our consumer privacy notice on Chase.com. On this page, you’ll notice that customers can limit information that is shared with affiliates and non-affiliates.” [Forbes]

Health / Medical

US – Tiger Team Uncovers Skepticism of HIPAA Disclosure Rule

As the U.S. Department of Health and Human Services’ Office of Civil Rights prepares to finalize rules for accounting disclosures as part of the HITECH Act, the Privacy and Security Tiger Team (part of the Office of the National Coordinator’s Health IT Policy Committee) is surveying stakeholders, and the stakeholders aren’t thrilled. The disclosure rule allowing patients to ask for a report detailing all internal access to their records is “misguided,” says the American Hospital Association. The Confidentiality Coalition fears “frivolous lawsuits.” The National Association of Chain Drug Stores says there will be “enormous new burdens.” Comments are open through Oct. 25 if you want to chime in. [Government Health IT]

US – Healthcare Breach Case a Boon for Encryption?

A California appeals court ruled that the Board of Regents at the University of California can’t be held accountable for the loss of a hard drive containing the personal health information of more than 16,000 patients. The decision hinged on the hard drive being encrypted. Officials could not confirm the data was actually accessed. The report also notes that the case was decided under California’s Confidentiality of Medical Information Act, not HIPAA. Meanwhile, Fierce Health IT reports that the Government Accountability Office is pushing the Centers for Medicare & Medicaid Services to remove Social Security numbers from ID cards, noting that the inclusion “introduces risks to beneficiaries’ personal information.” [mHealth News]

Horror Stories

US – Laptop Thefts Result in Medical Breaches

A breach at California’s AMHC Healthcare where two laptops containing the personal health information of 729,000 patients were stolen. According to medical breach data kept by the U.S. Department of Health & Human Services, the breach is the second largest this year. [FierceHealthIT]. Seton Healthcare Family in Texas has also announced a breach involving a laptop theft.

WW – Adobe Breach Affected At Least 38 Million Users

The estimated number of registered Adobe products users affected by a recent breach of that company’s systems has been increased to more than 38 million. The breach was initially disclosed at the beginning of October. At that time, Adobe said that the attackers stole encrypted credit card information of three million customers. In addition to increasing the number of affected users, Adobe also said that the breach appears to have compromised source code for Photoshop. [KrebOnSecurity]

WW – Breach Roundup…

Meanwhile, the Department of Energy says the number of people affected by a breach resulting in stolen data in July 2013 is more than double the number it initially estimated. A new survey indicates two-thirds of U.S. adults wouldn’t return to a business if their personal data was stolen.

A former Department of Justice cybercrime prosecutor says organizations should develop a “defensible response” to data breaches and fraud incidents because it’s likely they’ll next face a regulatory investigation or legal action. [Bank Info Security]

Hackers broke into database service MongoHQ using the compromised username and password of an administrator. The hackers made off with the data of a “limited number” of users. [eWeek]

In Missouri, Boone Hospital Center has begun notifying 125 patients that an employee working with an affiliated clinic may have accessed their personal information, including birthdates, Social Security numbers and medical diagnoses. [eSecurity Planet]

In Minnesota, Allina Health has started to notify patients that their personal health information was improperly viewed by a certified medical assistant. More than 3,000 patients were affected, though it is not believed the information has been used nefariously. The medical assistant has since been fired.

Insurance company Fidelity Life says a USB stick with sensitive data on about 1,200 clients was stolen from an employee’s car. The data included personal bank account numbers on people who had investments with a recent acquisition, Tower Health and Life.

In South Carolina, about 33,000 residents have enrolled in the state’s new identity theft protection service. Those eligible for protection had their data exposed in last year’s hacking of the state Revenue Department. A new study indicates that of 16 million victims of payment card information breaches in 2012, more than 25 percent were also victims of identity theft. The report found that retailers are the prime targets for payment card breaches, and that’s a trend that doesn’t look to be changing soon.

A recent data breach at Adobe impacted at least 38 million users, the company says. The stolen data was posted last weekend to AnonNews.org. Adobe has been contacting those who’s encrypted password information was stolen and urged them to reset their passwords [KrebsonSecurity].

Supermarket chain Schnuck Markets has recently agreed to a proposed class-action settlement following a breach involving 2.4 million credit and debit cards earlier this year. The chain will pay each affected customer up to $10 for each card hit with a fraudulent charge and $10 an hour for “up to three hours of documented time spent dealing with the breach.” [eSecurity Planet]

Health coverage company AvMed last week reached a $3 million data breach settlement that allows plaintiffs who didn’t suffer identity theft to claim funds. Attorneys say the settlement is “groundbreaking” and will likely “serve as a template for other plaintiffs in class actions over data breaches,” the report states. [Law360]

The U.S. Attorney’s Office has charged an alleged hacker in the UK with breaching thousands of computer systems in the U.S. and elsewhere. [Dark Reading]

A woman looking for yard sale bargains in Colorado purchased a box of office supplies worth more than she paid; the box contained student records—including Social Security numbers—from Pueblo Community College. “With all the identity theft and fraud, I was shocked that this was found at a garage sale,” the woman said.

Local law enforcement has opened an investigation into the theft of medical records from Northern Inyo Hospital in California. An employee in the hospital’s records department illegally obtained a patient’s medical file. The employee was subsequently fired. In the same state, the Legal Aid Society of San Mateo County is alerting patients of the burglary of 10 laptops containing personal data. The laptops were used by attorneys helping patients with healthcare services, and the data compromised may have contained medical data and Social Security numbers, HealthITSecurity reports.

In Florida, Broward Health is warning 960 patients about a data breach after a former employee stole their personal information. Wisconsin’s Memorial Hospital of Lafayette County has posted a notice on its website that it mailed 8,000 data breach notification letters after its third-party billing vendor accidentally sent their financial statements to the wrong people. In Virginia, two former nurse’s aides improperly accessed about 3,700 patients’ personal information in an identity theft scam, netting more than $116,000, The Virginian-Pilot reports.

An investigation by the Pittsburgh Tribune-Review has found employees or contractors committed more than 14,000 HIPAA privacy breaches since 2010, iHealthBeat reports. The breaches affected more than 100,000 veterans and more than 500 VA employees.

California’s Monterey County Department of Social Services has recently begun notifying residents that their personal data may have been exposed following access to the department’s computer by unauthorized users overseas.

An IT security vulnerability was found on News Corp’s major metropolitan websites in Australia, The Sydney Morning Herald reports. The details exposed include birthdate, e-mail address, number of children and household income.

PR Newswire is “conducting an extensive investigation” and has notified law enforcement over a breach earlier this year in which hackers broke into its networks, stealing usernames and encrypted passwords. The stolen data was recently found on the same Internet servers housing data stolen in an Adobe Systems breach, Krebs on Security reports, indicating the same party may be responsible for both breaches.

In South Africa, a variant of malware inserted into point-of-sale devices at South African fast-food outlets has cost local banks tens of millions, Mail & Guardian reports.

Following a probe by the UK Information Commissioner’s Office (ICO) into Panasonic UK’s data security policies, the company has agreed to strengthen its data security practices. The ICO will not serve an enforcement notice based on Panasonic’s plans.

Symantec Corp. is asking a federal court in California to toss out a proposed class action. The plaintiff in the case accuses Symantec of concealing a data breach and says the company is now raising “unavailing or scattershot arguments” in its aims to see the case dismissed.

Meanwhile, an article for CFO warns companies should do their due diligence before entering contract negotiations with cloud providers in order to avoid data-breach liability claims.

Identity Issues

US – Cali AG Releases Recommendations on ID Theft

California Attorney General Kamala Harris has released a report, “Medical Identity Theft: Recommendations for the Age of Electronic Medical Records,” that includes guidelines for the healthcare industry and insurers on preventing and remedying medical identity theft. The report focuses on the impact of identity theft on the accuracy of medical records and recommends that healthcare providers implement an identity theft response program, build awareness of the dangers and train staff appropriately, among other recommendations. “As the Affordable Care Act encourages the move to electronic medical records, the health care industry has an opportunity to improve public health and combat medical identity theft with forward-looking policies and the strategic use of technology,” said Harris. Accompanying the report is also a guide for consumers. [Report]

US – Mobile Devices to Become Identity Verifiers Thanks to Federal Grants

HID Global and two of its partners have received cybersecurity grants through President Barack Obama’s National Strategy for Trusted Identities in Cyberspace (NSTIC) initiative. The grants will be used to develop systems that will enable mobile devices to carry credentials for identity verification to improve consumer privacy among other things, the report states. Dubbed the NSTIC Key Team, the companies will enable mobile devices “to be used like smart cards to secure applications and networks for a leading social media company, a healthcare organization and the U.S. Department of Defense.” [Dark Reading]

US – Experian Subsidiary Sold Data to Underground Identity Fraud Site

An underground website that sold data that could be used to commit identity fraud appears to have purchased a significant amount of information from the US credit bureau Experian. The site, Superget.info, sold Social Security numbers (SSNs), drivers license numbers, and financial data. Some of the data available on the site were obtained from a company called Court Ventures, which Experian acquired in March 2012. Court Ventures “aggregates, prepackages, and distributes public record data.” The data thieves operating Superget pretended to be a US-based private investigator to gain access to the data. [KrebsOnSecurity]

US – Brill to Headline “Reclaim Your Name” Event at NYU

Now that the partial government shutdown is over, FTC Commissioner Julie Brill can focus on her next public speaking event. She will headline NYU-Poly’s third Sloan Cybersecurity Lecture, “Reclaim Your Name: Privacy in the World of Big Data,” to be held October 23, with a speech she promises will be “pretty colorful.” In this exclusive for The Privacy Advisor, Brill previews her talk by saying companies are already responding to her call for data transparency and the ability to correct and suppress. “I look at Axciom’s AboutTheData website as a response to what I called for,” she said. “It’s not nearly full-blown Reclaim Your Name, but it’s a first step toward providing more transparency to consumers about data collection and use practices.” [Source]

EU – ECJ: Protection Against Passport Fraud Outweighs Privacy

The European Court of Justice (ECJ) has ruled “that although the taking and storing of fingerprints for passports breached privacy and personal data rights, it did not breach the EU’s Charter of Fundamental Rights and was in line with EU law.” While the charter includes an explicit right to the protection of personal data, the ECJ determined the privacy infringement is justified to reduce fraudulent use of passports . “The contested measures pursue, in particular, the general interest objective of preventing illegal entry into the EU. To that end, they are intended to prevent the falsification of passports and the fraudulent use thereof,” the court has said. [EUObserver]

Intellectual Property

US –MPAA Publishes List of Top Filesharing Sites Around the World

The Motion Picture Association of America (MPAA) has released a report that lists major illegal filesharing sites around the world. Ironically, the MPAA has criticized Google for returning high numbers of filesharing sites in its search results, but now MPAA has provided an organized list of many of those sites. The MPAA report was created to provide the US Trade Representative with the names of “potential Internet and physical notorious markets that exist outside the US.” [WIRED] [MPAA’s Report critical of Google]; [MPAA’s Report on Filesharing Sites]

Internet / WWW

EU – Europe Aims to Lead With the Cloud

The European Commission has outlined plans for the EU to become a “world leading” cloud computing market when it comes to data protection. While the commission acknowledges U.S. surveillance revelations “aggravated” existing concerns about foreign cloud storage, it says calls for regional-only cloud storage would be “misguided.” “Trust can be restored with more transparency and the use of high standards,” the commission said. “A better overview of standards, certification of the use of those standards and safe and fair contract terms for cloud computing are essential.” [Out-Law.com]

US — U.S. Group Lobbying to Prevent Cloud Mining in Europe

A U.S.-based group is lobbying for a code of conduct banning cloud providers from mining data and serving ads in European schools. Many schools across Europe use services such as Google Apps for Education, but some countries, including Sweden, have banned the use of U.S.-based cloud services because they do not comply with data protection law. SafeGov has released a report on the issue and is urging Europe to consider such a code of conduct. Meanwhile, The Guardian reports on how to manage data protection and disaster recovery in the cloud. [ZDNet]

Law Enforcement

US – City To Tighten Plate-Scanning Retention Limits

In response to an open records request, the Pittsburgh Parking Authority (PPA) will tighten its license plate scanning policy and regularly delete scanned photos from its database. Over the last eight years, the authority has taken millions of photos of parked vehicles and stored the data for up to 30 days in a database that potentially can be used to track a vehicle’s movement around the city, the report states. In a letter, PPA Executive Director David Onorato wrote, “This type of information will no longer be accessible, except with respect to vehicles that have outstanding parking tickets.” The Pennsylvania chapter of the American Civil Liberties Union applauded the move, with one representative saying, “It is really creepy when you can say, ‘You were at the Giant Eagle at such and such a time.’” [Pittsburgh Post-Gazette]

US – Aaron’s Settles FTC Charges That it Enabled Computer Spying

The Federal Trade Commission (FTC) announced that Aaron’s, Inc., has agreed to settle charges that it enabled computer spying on customers by its franchises. According to an FTC press release, the company is barred from using monitoring technology and must obtain consent before using location-tracking software. FTC Bureau of Consumer Protection Director Jessica Rich said, “Consumers have a right to rent computers free of cybersyping and to know when and how they are being tracked by a company.” In its Business Center Blog, the FTC details what businesses can learn from the settlement. [FTC]

Location

WW – Indoor Location Market Set to Boom; Privacy Concerns Loom

Steve Smith writes that one of the upcoming battlegrounds in the mobile sphere “is not over accessing everyone everywhere but over very specific places and the people moving within them,” adding, “The indoor location market is suddenly about to boom.” According to ABI Research, within the next year there will be at least 25,000 mapping and indoor location technology installations across the globe as well as the handsets supporting such technology. An ABI director wrote, “Apple hasn’t made a big marketing deal on indoor with the new iPhone 5s, largely because the ecosystem isn’t in place yet.” But within the phone there “is a hardware platform that is now well-placed to support ‘always-on’ indoor location, sensor fusion and ambient intelligence.” Meanwhile, Apple’s new iOS7’s tracking capabilities—particularly its “Frequent Locations“ function—and the new iPhone’s motion sensor chip are raising privacy concerns. [MediaPost]

WW – Mozilla Developing GeoLocation Public Data Service

Mozilla is working on a public geolocation data service using cell tower and WiFi signals to give developers “a more privacy-aware option than current alternatives.” “The data would be provided by cell towers, WiFi and IP addresses,” the report states, and could be made available to the public. It’s a service already experimentally operating in the U.S., Brazil, Russia, Australia and Indonesia. [PCWorld]

US – Federal Appeals Court Says Warrant Required for GPS Tracking

The Third US Circuit Court of Appeals has ruled that law enforcement officers must obtain a probable cause warrant before affixing GPS trackers to a suspect’s vehicle. The is the first appeals court ruling since the January 2012 US Supreme Court ruling in United States v. Jones that affixing a GPS device to a suspect’s vehicle constitutes a search under the Fourth Amendment. The justices did not rule on whether the search was unreasonable and thus required a warrant. This recent case, United States v. Katzin, involved a GPS device attached to the vehicle of a suspect in a series of pharmacy robberies. [ComputerWorld] [WIRED]

Offshore

BA – Bahrain Cabinet Approves Draft Privacy Law

Gulf Daily News reports that during the cabinet’s weekly session, it gave its initial approval to a draft legislation that “aims to provide legal protection of personal privacy, which is a fundamental constitutional right.” According to Minister of State for Information Affairs and official government spokeswoman Sameera Rajab, the bill “includes the protection of digital data,” in order to “enhance public confidence in electronic transactions through the preservation and protection of personal data.” The cabinet has referred the bill to the ministerial committee for legal affairs and, according to the report, more details about it will available after it is discussed in the National Assembly.

Online Privacy

WW – Privacy Advocates, Online Ad Groups Still Doubt Do Not Track Talks

Privacy advocates and the ad industry agree on one thing: the Do-Not-Track (DNT) talks should end, but, the co-chairmen of the World Wide Web Consortium DNT working group announced that talks will continue. Network Advertising Initiative President Marc Groman, CIPP/US, said the NAI “remains concerned about the lack of progress and transparency in the working group as well as recent stories of arbitrary decisions,” but added, “we will continue to engage to ensure that there is a voice for third parties and digital advertising, small- and medium-sized businesses, the long tail of the Internet and frankly the consumer.” [The Hill]

US – DMA Calls for New Privacy Laws; Marketing Questions Persist

The Direct Marketing Association (DMA) is asking Congress “to overhaul privacy laws in order to protect companies’ ability to use data for marketing purposes.” The DMA’s requests include asking Congress “to invalidate state laws ‘that endanger the value of data’ and to prohibit consumers from bringing privacy class-action lawsuits,” the report states. On the subject of direct marketing, a Forbes report entitled “Kroger Knows Your Shopping Patterns Better Than You Do “ looks at one of the nation’s leading grocery store chains’ ad campaigns. Meanwhile, in a separate incident, a DMA e-mail campaign this weekend “reportedly hit more than 100 spam traps and e-mail boxes of some of the world’s most prominent anti-spammers.” [MediaPost]

WW – Facebook Changes Teen Privacy Rules

Facebook has announced it has changed its privacy rules for teenagers allowing them to now “post status updates, videos and images that can be seen by anyone, not just their friends or people who know their friends.” Those between the ages of 13 and 17 will have their sharing default set to “friends,” but they will receive a notice of their options. The move is prompting concerns that while the changes have been described as giving teens “more choice, big money is at stake for the company and its advertisers,” a report by The New York Times states. Author Emily Bazelon cautions, “It’s risky to have teenagers posting publicly. The kids who might be the most likely to do that might not have the best judgment about what they post.” [FB Announcement]

WW – Facebook Tests Software to Track Your Cursor on Screen

New software is being tested by Facebook to increase the site’s ability to collect great amounts of user information, including the tracking of a user’s cursor on screen. In an interview with The Journal, Facebook Analytics Chief Ken Rudin said the collected data could be added to the company’s data analytics warehouse. According to the report, Facebook can use the stored data “for an endless range of purposes—from product development to more precise targeting of advertising.” Currently, the company collects two types of data: behavioral and demographic. The new tests would expand Facebook’s ability to collect behavioral data, according to Rudin. [The Wall Street Journal]

WW – New Open-Sourced Browser Blocks Ads by Default

WhiteHat Security has released a new open-sourced, ad-blocking browser for OS X. Called Aviator, the browser preserves privacy by default and treats ads like a security threat. The browser is also preconfigured to use anonymous search engine Duck Duck Go. WhiteHat Security Product Management Director Robert Hansen wrote , “(N)ot a single browser vendor offers ad blocking, instead relying on optional third-party plugins, because this breaks their business model and how they make money,” adding, “Current incentives between the user and the browser vendor are misaligned. People simply aren’t safe online when their browser vendor profits from ads.” The browser comes out after recent talks around an industry standard do-not-track option have had difficulty moving forward. [InformationWeek]

US – Sen. Schumer Backs Offline Do-Not-Track

We reported on Monday that the Future of Privacy Forum (FPF), along with nine analytics companies, proposed a retail store Do-Not-Track opt-out code of conduct, and on Tuesday, according to an FPF press release, the group received backing from Sen. Charles Schumer (D-NY). CNET News reports that eight out of the 10 major cellphone tracking companies have agreed to the code of conduct, including Euclid, a company that was questioned earlier this year by Sen. Al Franken (D-MN) about its tracking practices. The code requires stores using MAC address tracking technology to post conspicuous signs notifying consumers of the tracking and to offer a website where customers can opt out of being tracked. Schumer said, “This is a significant step forward in the quest for consumer privacy,” adding, “This agreement shows that technology companies, retailers and consumer advocates can work together in the best interest of the consumer.” [Source]

WW – The Economics and Future of Cookies

As the IAPP reported, cookies may be reaching the end of the road—but not with a whimper. Google, Facebook and Microsoft are designing their own online tracking systems “in ways that bypass the more than a thousand software companies that place cookies on websites,” which could mean a radical shift in the balance of power in the $120 billion digital ad industry. Evidon CEO Scott Meyer said, “There is a Battle Royal brewing … Whoever controls access to all that data can charge rent for it—and has a tremendous advantage going forward.” [Wall Street Journal]

Other Jurisdictions

US – Senators Wants Answers on Student Data Outsourcing

Sen. Ed Markey (D-MA) wants to know how student information is being protected when it comes to data collection and analysis within the education-technology industry. Markey sent a letter to Secretary of Education Arne Duncan asking how K-12 schools are outsourcing the management and assessment of student data to technology vendor. “By collecting detailed personal information about students’ test results and learning abilities, educators may find better ways to educate their students,” Markey wrote. “However, putting the sensitive information of students in private hands raises a number of important questions about the privacy rights of parents and their children.” [New York Times]

AU – Australian Prof: Privacy Tort Can’t Do Everything

The Australian takes another look at the Australian Law Reform Commission (ALRC) inquiry into privacy law, highlighting comments by Prof. Barbara McDonald, the commissioner in charge of the inquiry. “The law cannot do everything–even if we have a statutory tort for invasion of privacy, it is not going to stop people invading privacy any more than a law against murder stops murder,” she said. McDonald has been asked to produce a detailed design for a privacy tort but “is also examining alternatives to a privacy tort that could fill the gaps in privacy law without the need for the creation of a new method of litigating,” the report states. Meanwhile, The Age reports on the Australian Internet Governance Forum’s examination of the question of the ALRC’s consideration of whether Australia should introduce its own “right to be forgotten.” [Full Story]

HK – Hong Kong PCPD Orders Company To Stop Supplying Data

“Something of a furore has been caused in Hong Kong by the decision of the Office of the Privacy Commissioner for Personal Data (PCPD) to issue an enforcement notice to stop a company from supplying data on individuals obtained from publicly available litigation and bankruptcy records via a smartphone application,” Lexology reports. The PCPD said the app, Do No Evil, “seriously invaded” those individuals’ privacy. Commentators, meanwhile, are accusing “the PCPD of threatening freedom of information, making inconsistent decisions and being technophobic,” the report states. [Full Story]

Privacy (US)

US – Netflix Plaintiffs Say Settlement Doesn’t Help Them

Netflix users are asking the Ninth Circuit Court of Appeals to vacate a settlement that would see the company donating millions of dollars to nonprofits. The users say the settlement doesn’t benefit them, stating they were affected by a privacy glitch in which Netflix allegedly held on to subscriber names after they had cancelled their memberships, a violation of the Video Privacy Protection Act of 1998. Netflix has denied violating the law but agreed to destroy the personal information and says the $9 million settlement is in line with privacy settlements by Facebook and Google. [MediaPost]  

US – Warrantless Surveillance Law May Face Test in Criminal Case

U.S. federal prosecutors “intend to use information gathered through the government’s warrantless surveillance program in a criminal trial, setting up a possible court test of the constitutionality of such eavesdropping.” In a notice released late Friday , the Justice Department announced it will use “information obtained or derived from acquisition of foreign intelligence information conducted pursuant to the Foreign Intelligence Surveillance Act” in a case against an alleged terrorist. A deputy legal director with the American Civil Liberties Union has described the filing as a “big deal” that “will undoubtedly set up a constitutional challenge,” the report states. [CNET]

US – Tips on Complying With COPPA While Still Making Money

Sara Hanlon, the CEO of a website targeted to kids and their grandparents, offers tips on how to meet the challenges of the newly revised COPPA while continuing to bring in revenue through your website. “While there are expenses associated with compliance, the complexity of the law and the thought of overhauling an entire business model are bigger issues,” Hanlon writes, noting that for some, “the law has created opportunities to innovate in order to continue to profit.” Tips offered by Hanlon include: Read and understand COPPA, don’t “assume your lawyer, developer or anyone else is handling this for you;” create a “parents area” on your site, and join an FTC-endorsed Safe Harbor Program, among others. [AdAge]

US – FTC: Ignore Privacy Principles at Your Own Peril

U.S. Federal Trade Commissioner Julie Brill warns the data broker industry that it must protect consumer data or face the consequences. Companies that ignore “basic privacy principles do so at their own peril,” she writes, but urges the industry to join a collective creation of consumer-friendly online services, an initiative she called Reclaim Your Name. Meanwhile, the FTC is mulling potential regulation of the emerging Internet of Things (IoT) market. Referencing a recent settlement with TRENDnet, Hogan Lovells writes that the agency may be taking a broader view of “sensitive data.” The FTC will host a roundtable on IoT next month. An earlier Privacy Perspectives post looked at some of the comments provided to the FTC by industry and advocacy. [AdAge]

US – SCOTUS Won’t Hear Privacy Lawsuit

The U.S. Supreme Court will not hear a privacy case against a division of Thomson Reuters Corp. on whether it can collect and sell information on drivers provided by state agencies. “The decision not to hear the matter represented a win for the commercialization of publicly available information, although U.S. law remains mixed on the subject,” the report states. The lawsuit alleged the practice violated the Driver’s Privacy Protection Act. Meanwhile, Bloomberg reports that a lawsuit claiming LinkedIn illegally mined its subscriber e-mail lists has been assigned to U.S. District Judge Lucy H. Koh—the judge who recently ruled the Google wiretapping case could go forward. [Reuters]

US – Expose of Experian Sparks New Questions About Data Brokers

Recent revelations that a company acquired by Experian may have sold personal data to a group of identity thieves has prompted an investigation by Sen. Jay Rockefeller (D-WV). The Experian report comes as Rockefeller and the FTC are both already investigating the data broker industry. In a letter to Experian , Rockefeller wrote, “if these recent news accounts are accurate, they raise serious questions about whether Experian as a company has appropriate practices in place for vetting its customers and sharing sensitive consumer data.” On Wednesday, FTC Commissioner Julie Brill called on Congress to enact legislation to regulate the data broker industry. [MediaPost]

US – TSA To Screen Passengers Before They Arrive at Airports

The Transportation Security Administration (TSA) is expanding passenger screenings by searching government and private databases for data on passengers—including car registrations and employment information—before they get to the airport. The TSA says the practice, which was revealed in documents released by the TSA under government regulations on data use and collection, aims to streamline the security-check process for travelers who don’t pose a threat. “I think the best way to look at it is as a pre-crime assessment every time you fly,” said a spokesman from The Identity Project. [The New York Times]

WW – IAPP Hits 14k Members, Expands Into New Space

The IAPP celebrated the joining of its 14,000th member by opening up new office space this past weekend, continuing its growth in both the privacy industry and the warehouse space it occupies on the former Pease Air Force Base in Portsmouth, NH. The membership growth and need for office space obviously are closely connected. While it took more than 10 years to hit 10,000 members in 2012, membership has grown to 14,000 in 18 months since then, and the IAPP has had to add staff to support those members in their training, certification, events and publications teams along the way, along with the addition of the Westin Research Center, also housed in the IAPP’s offices. [Source]

Privacy Enhancing Technologies (PETs)

WW – Business Rx: Data Privacy Firm Wants to Sell to Consumers

Internet companies and entrepreneurs are making headlines with their privacy-focused business ventures. ManageURiD, formed last year, is intended to “dynamically and automatically determine how much of your sensitive personal information is available on the Internet and who is selling it” as well as manage its removal, monitor its reappearance and provide “a Personal Privacy Dashboard so you can see the current status, history and details … at any time.” Ars Technica describes how Private Internet Access, a small U.S.-based VPN, is “trying to stand up for privacy”—in part by not logging anything. Meanwhile, Mozilla’s new Lightbeam add-on for Firefox shows users “what companies are behind each cookie stored in their browsers and what information those companies are gathering.” [The Washington Post]

RFID

US – Former US VP Disabled Wireless Capability of Implanted Defibrillator

Former US vice-president Dick Cheney acknowledges that he had modifications made to his implanted defibrillator to prevent the device from being hacked. In 2007, Cheney had the device’s wireless feature disabled. [BBC] [The Register] [ArsTechnica]

Security

US – NIST Releases Preliminary Cybersecurity Framework

After a short delay caused by the partial U.S. government shutdown, the National Institute of Standards and Technology’s Informational Technology Laboratory has released the Preliminary Cybersecurity Framework required under President Barack Obama’s executive order, “Improving Critical Infrastructure Cybersecurity,” of February 2013. NIST will shortly open a 45-day comment period on the preliminary framework, which will be posted here . Comments can be submitted at csfcomments@nist.gov in Word or Excel format. The feedback is vital and at the top of the document NIST outlines the types of questions they’d like answered, including issues of cost-effective implementation and existing best practices. The practices described in the document are voluntary. Some are critical of voluntary standards because they in turn become the de facto industry standards, which means companies that suffer breaches could be found liable if they have not implemented the practices. Private companies operate most elements of the country’s critical infrastructure. The final version of the document is scheduled to be released in February 2014. [GovInfoSecurity] [CNET] [Bloomberg] [SC Magazine] [Draft Framework] [NIST]

US – Workarounds Put Brands at Risk

User behavior is a major and growing source of privacy risk. We can see the extent, drivers and types of user behavior causing noncompliance issues and risks in recent research, which found 52% of healthcare workers globally use risky workarounds that are out of compliance with policy, and 66% find security protocols “burdensome.” This presents an opportunity—increasingly urgent—for privacy-enhancing technologies to enable workers to do their jobs efficiently without putting the brand at risk. [The Privacy Advisor David Houlding]

UK – 66% of UK Organizations Lack Staff with Key Technical Cybersecurity Skills

Twenty-four out of 25 UK firms report not having the adequate security measures to battle cyber attacks and two-thirds report that the lack of staff with advanced technical skills is the cause. [Telegraph]

WW – Mobile Firefox OS Exploits at Conference In India Next Month

A teenager who has discovered a way to infect Mozilla Firefox mobile operating system with malware says he will remain silent about the exploit until a November summit in New Delhi, India. Shantanu Gawde developed malware that allows attackers to gain remote access to devices’ SD cards, transfer contacts, track locations, control radio functions, and upload and download pictures, music, and video. [SC Magazine]

Smart Cards

US – Loyalty Cardholders Concerned About Privacy

Privacy is a factor for consumers considering whether to join loyalty card programs. A Mintel survey has found 32% of consumers believe “privacy is an important attribute of any loyalty program,” the report states. The study also found that 13% of respondents were frustrated “with too much personal information being requested during enrollment” and 10% cited concerns about “a lack of control over the privacy of their information,” according to the report. Mintel’s Ika Erwina said, “Reassurance of privacy is undoubtedly a key strategic tool in loyalty program engagement, but there is a paradox at play here between personalization and privacy.”[Supermarket News]

Surveillance

US – NSA Admits Snooping on World Leaders’ Calls

The NSA has acknowledged that it snooped on phone calls of 35 world leaders, including German Chancellor Angela Merkel. The White House was unaware of the program until this summer; once it learned about the snooping, it was stopped. The WSJ story says that the surveillance decision was made at NSA and did not require approval from the president. According to other sources, US intelligence officials say that the State Department and the White House both signed off on the surveillance program. While it is possible that the president was not briefed on specific NSA operations targeting foreign leaders’ communications, the National Security Council and senior members of the intelligence community would be aware of the activity, according to an unnamed former US intelligence official. [The Wall Street Journal] [CBS News] [CNET] [Washington Post] [LA Times]

WW – Spying Fallout Continues; Countries Draft UN Resolution

Internal documents from UK intelligence agency GCHQ indicate fears of a “damaging public debate” on the scale of its activities. GCHQ feared such a debate could lead to legal challenges against mass-surveillance programs, the report states. In the U.S., former Secretary of State Hillary Clinton called for a “full, comprehensive discussion” on the balance between privacy and security; experts debated the worth of mass data collection to begin with, and U.S. Rep. Alan Grayson (D-FL) said in an opinion piece that he learned much more about U.S. surveillance policies from the media than from intelligence meetings. Meanwhile, Germany and Brazil are reportedly working on a UN General Assembly resolution on surveillance. [The Guardian]

US – Report Says NSA Intercepted ISPs’ Data

Google and Yahoo are upset with a report that the NSA has secretly intercepted “large amounts of data as it flows across fiber-optic cables that carry information between the worldwide data centers.” “We have long been concerned about the possibility of this kind of snooping, which is why we have continued to extend encryptions across more and more Google services and links, especially the links in the slide,” said Google’s chief legal officer. Meanwhile, the American Civil Liberties Union says an FBI program that collects reports about suspicious activity lacks privacy safeguards. [The Guardian]

WW – After NSA Disclosure, Tech Giants Look to Increase Defenses

Days after the latest National Security Agency leak showing the agency had tapped the data centers of Yahoo and Google—allegedly without either company’s knowledge— many large tech companies, including Facebook and Twitter, have been spending time and resources bolstering internal networks to protect their consumers’ data. “What began as a public relations predicament for America’s technology companies has evolved into a moral and business crisis that threatens the foundation of their businesses, which rests on consumers and companies trusting them with their digital data,” the report states. ACLU Senior Analyst Chris Soghoian said some companies are taking steps to ensure “surveillance without their consent is difficult,” but added, “what they can’t do is design services that truly keep the government out because of their ad-supported business model, and they’re not willing to give up that business model.” [The New York Times]

US – NSA Reform Bill Expected; Feinstein Backs “Total Review”

House and Senate lawmakers plan on introducing legislation to limit the NSA’s surveillance powers. The USA FREEDOM Act, written by Sens. Patrick Leahy (D-VT) and James Sensenbrenner, Jr., (R-WI), would end the NSA’s bulk collection of phone records, increase curbs to monitoring Americans, require quicker data deletion in cases of accidental collection and create a special FISA court advocate. Sen. Diane Feinstein (D-CA), who has consistently been a staunch defender of the NSA’s programs, has called for a “total review” of all intelligence collection programs after news that the U.S. allegedly spied on national leaders of allied nations—most notably German Chancellor Angela Merkel. The White House has also said there needs to be additional “constraints” on U.S. intelligence gathering to “better balance our security needs and the security needs of our allies against the real privacy concerns that we all share.” The House Intelligence Committee will hold a rare open hearing today, which will include the NSA director and other top intelligence officials. [The Hill]

WW – Schools Grapple With Cyberbullying and Privacy

Emerging social network monitoring systems are designed to survey publicly available posts of students and the corresponding issues around free speech and children’s privacy. Now that students’ cries for help and instances of bullying and threats can be found online, several companies are offering software to help schools detect such outbursts, but do schools have the legal right to do so? Several cyberbullying cases have made their way to federal courts. American Association of School Administrators Executive Director Daniel A. Domenech said of the issue, “It is a concern and, in some cases, a major problem for school districts,” adding that the line between school and student rights can be confusing. One school administrator is weary of such online technology, saying, “The safety and well-being of our students is our top priority, but we also need for them to have the time and space to grow without feeling like we are watching their every move.” [New York Times]

Telecom / TV

US – New TCPA Rules in Effect October 16

The Federal Communications Commission’s revisions to the Telephone Consumer Protection Act (TCPA) go into effect today. The revisions require businesses to obtain express written consent before telemarketing and advertising through autodialed calls or text messages to consumer cellphones and prerecorded calls to residential phone lines, according to a Covington & Burling client alert. The revisions eliminate the exemption allowing firms to make prerecorded calls to a residential phone line if a pre-established relationship with the consumer existed. Punishment for violations of the new rules “can reach as high as $1,500 per violation (on a per call basis),” the alert states. In this Privacy Tracker exclusive interview, listen to TCPA expert Yaron Dori, partner at Covington & Burling, talk about what these changes mean for your organization and its practices, and hear advice on how best to comply. [Full Story]

US Government Programs

US – Top U.S. Intel Officials Testify; Relations Fray Further

Top U.S. intelligence officials testified yesterday in a rare open hearing with the House Intelligence Committee, with National Security Administration Director General Keith Alexander and Director of National Intelligence James Clapper among them. While they were in concert with one another, the House committee members were, at times, singing different tunes. This exclusive for The Privacy Advisor reports on the hearing and rounds up the fallout from continued leaks about U.S. intelligence operations and how they’re affecting trade talks and the Safe Harbor with the EU. [Source]

US – The Feds: Data Brokers’ Next Big Customer

CNN reports on one commercial data broker “that tracks and stores the employment and salary information of millions of Americans” and its “big, new customer—the federal government.” The U.S. government is now using The Work Number, a database owned by Equifax that includes “54 million active salary and employment records and more than 175 million historical records,” in a pilot program aimed at determining eligibility for such benefits as food stamps, a World Privacy Forum report has found. The World Privacy Forum is pointing out privacy concerns, including that commercial databases such as this “do not have to meet the same strict privacy and accuracy standards that government-operated databases do,” the report states. [CNN Money]

US – Fordham Law Releases Privacy Curriculum for Middle Schoolers

Teenagers are tough to keep track of. After school, it’s on to sports practice and social lives and the rest. But one central place they can be found en masse is online. Not only are 93% of 12 to 17 year olds online, according to a recent study from the Pew Internet & American Life Project, but they’re sharing more about themselves than ever before. It’s that kind of data that prompted Fordham Law’s Center on Law and Information Policy to use funds from a cy pres privacy settlement to establish open-sourced curriculum for middle school kids. More than a dozen U.S. law schools have signed on to the program. [Source]

US – US Defense Secretary Wants DOD to Step Up Data Protection

In a memo earlier this month, US Defense Secretary Chuck Hagel ordered the Defense Department to implement measures to protect unclassified controlled data from being accessed by hackers. He has ordered DOD’s chief information Officer and the undersecretaries of defense for acquisition, technology, and linguistics; policy; and intelligence to assess unclassified DOD networks to evaluate their vulnerability to attacks and develop strategy to mitigate those risks. Hagel also called for DOD, the NSA, and DISA to develop means to assess loss of technical data and the consequences of those losses; identify critical acquisition and tech programs that need stronger protection; and make sure they are being adequately protected. [Federal Times] [NextGov]

US Legislation

US – Franken and Heller Reintroduce Bill on Surveillance Transparency

Sens. Al Franken (D-MN) and Dean Heller (R-NV) have reintroduced the Surveillance Transparency Act of 2013. A hearing on the bill, which aims to increase transparency when it comes to government surveillance, will be held November 13. “The American public is naturally suspicious of executive power, and when things are done secretly, they tend to think that power is being abused,” said Franken. The bill follows a letter written by 60 Internet companies and advocacy groups pushing the president and congressional leaders for transparency when it comes to government surveillance. Meanwhile, a law enforcement official recently said scrutiny over government surveillance threatens police use of technology to solve crimes. [Broadcasting & Cable]

US – Lawmakers to Reintroduce Kids’ Tracking Act

Sen. Ed Markey (D-MA) and Rep. Joe Barton (R-TX) have announced plans to reintroduce the Do Not Track Kids Act, which aims to prohibit targeted advertising to kids younger than 16 and create an “eraser button.” The lawmakers point to a recent study from Commonsense Media showing an increase in the number of children accessing media through mobile devices as an indicator of need for the act. “The Do Not Track Kids legislation would update COPPA for this new Internet ecosystem, establish new protections for the personal information of children and teens and ensure that parents have the tools they need to protect their children’s privacy,” they said. COPPA was recently updated to prevent the tracking of kids under 13 years of age. [The Hill]

US – States Take Action Where Federal Gov’t Hasn’t

State legislatures around the country have rushed to propose a new series of privacy laws. More than two dozen privacy laws have been passed this year in more than 10 states, incited by increasing privacy concerns about personal data and a lack of action by the federal government. State Rep. Jonathan Stickland (R-District 92) said, “Congress is obviously not interested in updating those things or protecting privacy. If they’re not going to do it, states have to do it.” The flurry of laws can be burdensome for tech companies trying to comply; however, federal law prevents states from interfering with interstate commerce, the report states. [The New York Times]

US – California Governor Vetoes Privacy Bill Again

California Governor Jerry Brown has once again vetoed legislation that would have required law enforcement authorities to obtain warrants before searching suspects’ electronic communications. Governor Brown said the bill would impede investigations and would impose requirements beyond those in existing federal laws. This is the third time he has vetoed the legislation. [ComputerWorld] [Governor Brown’s Memo Explaining Veto]

US – Are Class-Actions Becoming Too Big To Settle?

The Recorder looks at privacy class-actions through the lens of recent suits against Google over its Street View and Gmail services, questioning whether it’s possible that plaintiffs now have too much leverage. Classes comprising millions of people and statutory damages could mean cases, such as the Street View case, become too expensive to strike a deal, the report states. As U.S. District Court Judge Richard Seeborg said in a recent class-action over Facebook’s sponsored stories, because of the class size, “even a modest per-class member payment could easily require a total settlement fund in the billions of dollars.” The “too-big-to-settle” phenomenon is likely to grow as Internet companies add to their user bases, the report states. [Full Story]

US – Does the U.S. Have a De Facto National DPA?

Traditional thinking posits that the U.S. does not have a national data protection authority. “But tell that to Google. Or TJX. Or CBR Sytems. Or any of the dozens of other companies that have been pursued by the U.S. FTC over the past several years for alleged data security or privacy violations,” writes Steptoe & Johnson Partner Jason Weinstein. In this installment of Privacy Perspectives, Weinstein writes, “The FTC has made itself America’s de facto data protection authority through aggressive use of Section 5 of the FTC Act,” and, thus far, “the FTC is batting a thousand…” Challenges from Wyndham Hotels and LabMD, however, “symbolize the frustration felt by many companies” that believe they have been victimized once by a breach and then again by the FTC. [Full Story]

US – Amendment Would Require EU Permission for U.S. Law Access

Lawmakers have introduced an amendment to the Data Protection Regulation being debated in the European Parliament that could require U.S. companies to seek clearance from European officials before complying with U.S. law enforcement requests for data, The New York Times reports. The amendment responds to U.S. NSA revelations and could be decided as soon as Monday, when the Committee on Civil Liberties, Justice and Home Affairs (LIBE) will vote on amendments to the European data protection regulation. A coalition of U.S. consumer, privacy and public interest groups have written to European Parliament expressing support for the proposed regulation. Meanwhile, a European official said the proposed regulation will not modify Safe Harbor, though there has been widespread speculation over Safe Harbor’s future. Wilson Sonsini Goodrich & Rosati’s Christopher Kuner in Brussels told the Daily Dashboard that while Safe Harbor has always been controversial and that controversy has reached a fever pitch following the Snowden revelations, he “doubts very much it will really be suspended. I think what they will push for is to get some improvements … I think it’s more realistic that Safe Harbor will always have some utility.” [Full Story]

US – PA House Passes 911 Privacy Bill

Patch.com reports, that the Pennsylvania House has passed HB 1041, providing an exemption to the state’s Right-To-Know law for information that could identify a 911 caller. The bill is sponsored by Joe Hackett (R-Delaware), who noted, “the identity of the caller must be kept confidential to prevent cases of retribution against informants and to ensure the public has a sense of safety and privacy when reporting a crime or other emergency.” The bill now heads to the Senate.

US – Texas AG Seeks to Stop Dating Service’s Database Sale

Texas Attorney General Greg Abbott wants to stop the sale of an online dating service because of concerns about the personal information involved. True.com filed for bankruptcy protection more than a year ago and is selling its assets, which include a 43-million member database—two million of whom are Texans. “The proper course is for True.com and its bankruptcy trustee to seek the customers’ permission before selling their private information to a third party—and that’s exactly what our legal action asks the bankruptcy court to require before the case proceeds,” Abbott said. [KFYO]

US – Is DoJ Setting Up New SCOTUS Wiretapping Test?

The U.S. Department of Justice is potentially setting up, for the first time, a Supreme Court test of whether it’s constitutional to notify a criminal defendant that evidence against him came from wiretapping. Additionally, the department’s National Security Division is looking through closed cases to find other defendants who faced similar evidence that resulted from a 2008 wiretapping law—which allowed eavesdropping on suspects without a warrant when the communications crossed borders, the report states. Columbia University Law Prof. Daniel Richman said, “It’s of real legal importance that components of the Justice Department disagreed about when they had a duty to tell a defendant that the surveillance program was used … It’s a big deal because one view covers so many more cases than the other, and this is an issue that should have come up repeatedly over the years.” [New York Times]

US – A Model Bill to Put CPOs in State DoEs

Sheila Kaplan, independent education and information policy researcher, student rights advocate and EPIC advisory board member, has written a model bill that would install chief privacy officers in state Departments of Education (DoEs). Kaplan outlines the problems she sees with FERPA, the risks of not adequately protecting data held by DoEs and why tackling this problem at the state level makes sense. “Students deserve a true advocate for their rights in a data-driven environment that often places profit and corporate interests above the privacy rights of children and their families. Those who bear responsibility for student records need a reliable resource to help them manage their obligations.”. [Privacy Tracker]

Workplace Privacy

US – State Medical Board Releases Social Media Guidelines

The Rhode Island Board of Medical Licensure and Discipline has released a set of guidelines for physicians’ use of social media to help establish acceptable patient privacy interaction, Health IT Security reports. The board’s Policy Guidelines for the Appropriate Use of Social Media and Social Networking in Medical Practice sets standards for protecting patients’ privacy, avoiding online requests for medical advice, acting with professionalism and being transparent about one’s credentials and aware that posts could be publicly available. In a Privacy Perspectives post earlier this year, Indiana University Health Chief Privacy Officer Valita Fredland wrote about why healthcare providers should utilize social media. [HealthIT Security]

+++

01-16 October 2013

Canada

CA – Groups Come Together Against Gov’t Surveillance

Georgia Straight reports that more than 20 organizations convened in Vancouver to launch the Protect Our Privacy Coalition, a group of “citizens, experts, organizations and businesses” that “have come together to defend our right to privacy based on a common statement of principle.” Micheal Vonn, policy director for the BC Civil Liberties Association, says the group was formed in response to indications that Prime Minister Stephen Harper plans to implement sections of Bill C-30 , commonly known as the online surveillance bill, and OpenMedia.ca Executive Director Steve Anderson points to revelations about spying by Communications Security Establishment Canada. [Full Story]

CA – CIRA CEO: Local IXPs Can Help Avoid Snooping

The Canadian Internet Registration Authority (CIRA) initiative to create local Internet exchange points (IXPs) “where carriers and communications providers directly connect with each other to exchange traffic”—keeping that Internet traffic out of U.S.-based exchanges. CIRA President and CEO Byron Holland noted, “All the events coming out of the U.S. with the NSA and the PRISM program highlight that it’s a good idea to keep traffic in your own jurisdiction as much as you can.” Without local IXPs, he explained, “I could be sending you an e-mail from downtown Ottawa to another point in Ottawa, and there’s a 40%- chance that will go through the U.S.” [IT Business]

CA – Change to Adoption Law Raises Concerns

Under current adoption law in Quebec, if an adopted child would like information about a birth parent, there is a process whereby a youth and family service center contacts the parent to see if they’d be interested in meeting or communicating. Similarly, the center acts as a pass-through should a parent who has given a child up for adoption want to meet that child later in life. Under a new proposed reform, however, children and parents would have to register a “veto” against their identities being given out, otherwise the information would be distributed upon request. Privacy concerns have been raised because while adopted children will have their veto automatically registered when the law passes, parents would have just 18 months to register their veto or have their identities made available. [The Montreal Gazette]

CA – Manitoba Legislation Awaits Proclamation

Manitoba’s new privacy legislation, which received Royal Assent last month, now awaits proclamation. The province’s Personal Information Protection and Identity Theft Prevention Act (PIPITPA) “will establish rules for the collection, use and disclosure of personal information, including employee information, for most organizations in the province,” the report states, noting, “At this time, the federal government has not determined whether PIPITPA is ‘substantially similar’ legislation, such that it will replace the Personal Information Protection and Electronic Documents Act within the province.” [Financial Post]

CA – BC Celebrates 20 Years of FIPPA With Video, Conference

British Columbia’s Office of the Information and Privacy Commissioner played host yesterday and today to a two-day conference, Privacy and Access 20/20: A New Vision for Information Rights, designed to both celebrate the 20th anniversary of the passing of the Freedom of Information and Protection of Privacy Act and to look forward to new challenges in information access and privacy. In a column for the Vancouver Sun, and accompanying video, Commissioner Elizabeth Denham lays out “some of the challenges we never envisioned in the early days of privacy legislation.” [Full Story]

CA – Denham: BC Laws Must Be Modernized

In an op-ed for marking the 20th anniversary of the province’s Freedom of Information and Protection of Privacy Act, BC Information and Privacy Commissioner Elizabeth Denham looks at the history of the law and the areas where reform and modernization are needed. Denham suggests the Document Disposal Act must be modernized to address public demand for transparency and accountability. Additionally, she calls for the province to anticipate the challenges of this age of Big Data, adding the province “should be more concerned with the magnitude and frequency of privacy breaches and data spills in the public and private sector.” [The Vancouver Sun]

CA – Remembering Canada’s First Commissioner

Justice Inger Hansen, Canada’s first privacy commissioner, who passed away on September 28, is remembered in an obituary. Hansen, who was born in Denmark in 1929, visited Canada for the first time in 1950 and emigrated a few years later. Appointed as Canada’s first privacy commissioner in 1977, she was “responsible for complaints relating to privacy rights and data protection, a field in which she soon became an internationally recognized authority.” In 1983, Hansen was appointed as Canada’s first information commissioner, and she went on to an appointment to the Ontario Court of Justice in 1991. A memorial service is planned for late October. [Ottawa Citizen]

CA – Union Loses Bid to Keep Recordings out of Court

A major Quebec labour union has lost its bid to prevent the provincial corruption inquiry from hearing wiretap conversations involving its senior leadership. The taped conversations of the FTQ union were taken by police during an investigation. The inquiry will only use those parts of the conversations related to “professional functions” and will not focus on individuals’ personal lives. “We must find a balance between private interests, the right to respect for privacy and the public interest in the search for truth and public information related to the mandate of the inquiry,” the commission wrote in its ruling. [CTV News]

Consumer

WW – MasterCard Study Looks At Human Nature Vs. Online Privacy

MasterCard has released a study revealing that traditional demographics—age, gender, race—are poor indicators of consumer attitudes toward online privacy. MasterCard conducted interviews with 9,000 Internet users globally. Theodore Iacobuzio, MasterCard vice president of global insights, said, “We were blown away … It’s all about why you go online,” adding, “Why you go on determines your attitude toward data privacy.” Iacobuzio’s team defined five online personality types: passive users, proactive protectors, solely shoppers, open sharers and simply interactors. The study also found that privacy attitudes do not change; they “determine your behavior.” Iacobuzio said, “One of the real lessons of this piece is that consumers are well-aware of how to protect (their privacy) and whether they want to or not.” [The Washington Post] See also: [Forbes: U.S.-Style Personal Data Gathering Is Spreading Worldwide]

E-Mail

US – Yahoo Sued for Eavesdropping on E-Mail from Non-Yahoo Users

A complaint filed in the U.S. District Court for the Northern District of California alleges Yahoo violated California privacy and federal electronic communications laws by scanning nonusers’ e-mails in the name of targeted ads. The plaintiffs, who are not Yahoo users, allege Yahoo’s interception of messages sent to a Yahoo subscriber in order to profile, collect data and scan for keywords violates California’s Invasion of Privacy Act and the Electronic Communications Privacy Act. The complaint says the practice is “the type of behavior that the U.S. Congress and the California legislature has declared should not be tolerated in a free and civilized society.” [Bloomberg]

US – Harvard to Hold Meetings on E-mail Privacy Policy

A Harvard University taskforce will hold two meetings this month to collect feedback from students, faculty and staff on the school’s e-mail privacy policies. The move comes after fallout from revelations earlier this year that school administration officials covertly searched approximately 14,000 e-mails to find the leak that led to a cheating scandal. In addition to the two meetings, the taskforce has launched a discussion blog and has met several times over the summer to define “underlying principles and questions that it hopes to discuss with the community in the coming months,” according to a university statement, which added, “Among the principles: transparency about the realities of technology, the importance of fostering trust in the Harvard community and respect for the privacy interests necessary to ensure academic inquiry.” [Boston.com]

WW – Yahoo Webmail Gets Default SSL Protection in January

Yahoo has announced that starting on January 8, 2014, all Yahoo mail will be protected by SSL by default. Microsoft has offered optional SSL protection since 2010 and it has been default for Microsoft webmail since July 2012. Facebook implemented SSL for all connections several months ago; it has been an option since 2011. Twitter offered it as an option at the beginning on 2011 and made it default by August of that year. Google has had SSL on by default since 2010, an option since 2008. Yahoo began offering the option of SSL encryption earlier this year. [WashPost] [CNET] [Register]

Electronic Records

US – McAfee: “What Idiot Put This System out There?”

While some said the criticism of privacy protections in the Affordable Care Act’s implementation was political grandstanding, at least one noted cybersecurity guru is right there with them. In a scathing criticism of the technical implementation of the Affordable Care Act, John McAfee said it is a hacker’s “dream.” Because there is no central organization of the program, “anybody can put up a web page and claim to be a broker for this system … [and] it’s not something software can solve.” An unsuspecting person is likely to think a rogue website is real, deliver up Social Security number and various other intimate health details, only to discover the site is fake and built to steal identities. Retirees, McAfee predicts, will have their savings “wiped out in one day because [they] signed up for Obamacare.” [Full Story]

Encryption

WW – Researcher Finds Encryption Flaw in WhatsApp

A security researcher said he has found an encryption flaw making it possible for adversaries to decrypt communications sent with WhatsApp, though developers say the messages are “fully encrypted” and the company’s CEO says the report is “sensationalized and overblown.” A computer science and mathematics student wrote in a blog posted Tuesday, “You should consider all your previous WhatsApp conversations compromised,” adding, “There is nothing a WhatsApp user can do about this … except to stop using it until the developers can update it.” [Ars Technica]

US – Lavabit Founder Appealing Govt’s Order to Turn Over Encryption Keys

Ladar Levison, owner of the now-shuttered secure email service Lavabit, is asking the Fourth Circuit Court of Appeals in Virginia to rule that the government’s orders earlier this year demanding that the company surrender its private SSL keys were unlawful. Levison is hoping to reopen the business. While Edward Snowden has not been named in connection with the Lavabit case, it seems likely that it was Snowden’s communications the government sought when they demanded that Levison turn over the keys. Levison eventually relented, but shut down his company immediately after surrendering the keys, saying that he would rather shut down his business than be “complicit in crimes against the American people.” [WIRED] [NBC News]

WW – Lavabit Users Will Have Brief Window to Reset Passwords, Retrieve Data

Lavabit will reopen for a brief window of time to allow users retrieve their data from the company’s servers. Starting at 8 PM US Eastern time on Monday, October 14, users have 72 hours to change their passwords. Following that period, users will have a short window of time to retrieve an archive of their stored messages and account data. [CNET] [Engadget]

US – US Govt Demanded Lavabit Encryption Keys

Recently unsealed documents in a court case regarding secure email provider Lavabit’s appeal of a US government demand for information show that the government had ordered Lavabit to provide it with its SSL keys. The order reads, in part, “The court determines that there is reason to believe that notification of the existence of this order will seriously jeopardize the ongoing investigation.” Levison says he suggested logging Snowden’s communications, decrypting them and uploading them to a government server on a daily basis. But the government wanted the private SSL certificate used to encrypt all Lavabit traffic. He initially provided the encryption keys in hardcopy format, printed out as strings of numbers. When he was found to be in contempt of court for this action, being fines US $5,000 a day, he eventually relented and provided the government with the electronic keys but the immediately shut down his business. [ArsTechnica] [ComputerWorld] [WIRED] [ZDNet] [Register] [Pleadings Exhibits (Redacte)]

EU Developments

EU – Groups Lobbying “Furiously” Ahead of Oct. 21 Regulation Vote

The European Parliament’s vote on “the introduction of the harsh new Data Protection Regulation,” scheduled for October 21, suggesting it will place the “battle between Big Data and individual privacy” front and center. With such organizations as the World Federation of Advertisers and the Industry Coalition for Data Protection “furiously lobbying ahead of the vote, hoping for a lighter-touch regime to protect the interests of business,” the report notes that while this month’s vote is not the last step in the process, “it is a key step in determining the outcome.” [AdAge]

EU – Justice Ministers Support “One-Stop Shop”

European justice ministers on Monday agreed “in principle” to accepting a “one-stop shop” framework for organizations doing business within the EU. The rule would set up a system whereby businesses processing personal data of Europeans would report to one data protection authority instead of as many as 28. French officials had called for a joint decision-making panel among data protection authorities, but Irish officials strongly opposed the proposal. Both Google and Facebook have their European headquarters in Ireland. Lithuanian Justice Minister Juozas Bernatonis said the aim is “to ensure legal certainty and reduce the administrative burden.” EU Justice Commissioner Viviane Reding said the move will benefit the consumer: “A citizen who has a problem will address himself to his own data protection authority not, as is currently often the case, a foreign authority.” [IDG News Service]

EU – U.S. Safe Harbor, Australian Gov’t Actions Questioned

The European Parliament’s Electronic Mass Surveillance of EU Citizens Inquiry is discussing the EU-U.S. Safe Harbor data sharing agreement and has concerns about “the system is flawed and allows for wide-scale abuse by the firms themselves and easy infiltration by U.S. intelligence agencies.” Christopher Connolly of Australian-based consulting firm Galexia told the committee that “many claims of Safe Harbor membership are false“—to the tune of 427 organizations “with hundreds of millions of customers.” Meanwhile, ABC News reports on documents obtained under Freedom of Information laws showing Australia’s government “knew about the secret U.S. Internet spying program PRISM months before a whistleblower made details public.” [Press TV]

UK – Privacy Groups Taking GCHQ to Court

Privacy advocates Big Brother Watch, the Open Rights Group, English PEN and Constanze Kurz have filed a legal challenge claiming GCHG’s “mass online surveillance programmes have breached the privacy of tens of millions of people across the UK and Europe,” The Guardian reports. UK MPs cleared GCHQ of any wrongdoing, and Privacy International has launched a case that will be heard by the Investigatory Powers Tribunal, but Nick Pickles of Big Brother Watch has said, “Parliament did not envisage or intend those laws to permit scooping up details of every communication we send, including content, so it’s absolutely right that GCHQ is held accountable in the courts for its actions.” [Full Story]

EU – Dutch Gov’t Wants Input on Cookie Rules Change

The Dutch government has introduced a proposal for a change in cookie rules and is seeking public input, Mondaq reports. The proposed amendment was introduced by the minister of economic affairs in May and is symbolic of the new way the Dutch government looks at cookies. It aims to exempt some cookies from rules in that if browsers allow users to actively configure settings, implicit consent may be an acceptable method, the report states. [Full Story]

EU – Will Regulation Create Euro-Only Cloud?

While the originally proposed EU Data Privacy Regulation did not include provisions to address cloud computing, several amendments have been added since. The New York Times reports that among those proposed, one bars transfers of data from EU to U.S. clouds without informed consent and another would require such transfers to come with a notification “to the data subject of such transfer and its legal effects.” EC Vice President Neelie Kroes says, “European citizens will not embrace the cloud if they are worried for their privacy or for the security of their data,” and other EU regulators seem to agree, calling for the development of European clouds. But outside the EU, others question the effect of creating European clouds. [Full Story]

EU – Avoiding Breach Fines

With a new 24-hour breach reporting mandate in place for companies doing business in the EU, WatchDox Co-founder and CEO Moti Rafalin writes. “Businesses in Europe now get a single day in which to figure out what went wrong, who could be hurt by it and how they will prevent it from happening again,” adding, “With that kind of stringent reporting regulation on the books, it’s hard to imagine why any electronic communication service companies … would fail to do everything possible to avoid security breaches.” With potentially more strict breach mandates on the horizon within the proposed EU regulation, “the choice organizations face now is whether to invest in prevention or suffer the consequences of data loss in the face of new regulations and potential litigation,” Rafalin writes. [ITProPortal]

EU – Netflix Dutch Privacy Violations: Watchdog Finds Itself Unable to Bite

Online streaming service Netflix has been found in violation of Dutch privacy law, but the nation’s data protection authority is unable to take action because the company’s European headquarters is located in Luxembourg. If the company had been located in The Netherlands or outside of Europe, the regulator would have been able to take action. According to Dutch law, businesses need explicit consent from customers prior to processing data that can be directly or indirectly traced back to an individual. Sander Dekker, The Netherlands’ secretary of education, said, “Netflix gathers so much information of its customers that this can be considered extremely sensitive data … customers must give their express consent for that, which, in case of Netflix, they have not.” [ZDNet]

EU – Microsoft Asked by EU Privacy Watchdogs to ‘Improve’ Policies

European data protection regulators have asked Microsoft to tweak its Internet product policies as part of a formal probe into privacy issues. The Article 29 Working Party has “identified a number of areas where improvements are required,” according to a statement. “Microsoft was asked to send its response very shortly, explaining how and when it would implement” the recommendations. The regulators added they are confident that an agreement will soon be reached and indicated Microsoft has been cooperative during the investigation. [Bloomberg]

FOI

US – Justice Asks FISC Not to Allow Companies to Divulge Data Request Details

The US Justice Department (DoJ) has asked the FISC to deny a request from major technology companies, such as Google, Microsoft and Facebook, to publish additional details about requests for information they have received from the government. According to a September 30 DoJ filing, divulging the specific numbers of requests, and in some instances, the nature of the requests, would “be invaluable to our adversaries.” The companies expressed their disappointment, with a yahoo spokesperson noting that the decision “ultimately breeds distrust and suspicion – both of the United States and of companies that must comply with [their] directives.” [WashPost]

Google

WW – Google Unveils Plans for User Names, Comments to Appear In Ads

Google plans to launch ads similar to Facebook’s “social” ads, which incorporate photos, comments and names of users. The changes were announced in the company’s revised terms of service last week. EPIC’s Marc Rotenberg said such ads unfairly commercialize Internet users’ images. Sen. Ed Markey (D-MA) has asked the Federal Trade Commission (FTC) to look at Google’s privacy changes, writing in a letter to the FTC that the policy raises questions about “whether Google is altering its privacy policy in a manner inconsistent with its consent agreement with the commission and, if the changes go into effect, the degree to which users’ identities, words and opinions could be shared across the web.” [Reuters]

US – Google Wins Dismissal of Suit Over Web Browser Cookies

Google has won the dismissal of a lawsuit that alleged it had violated computer users’ rights by slipping electronic cookies into their web browsers in the name of targeted advertising. Consumers sued in federal court alleging Google tricked their browsers into accepting the cookies. But U.S. District Court Judge Sue Robinson said in her opinion that users “didn’t demonstrate that Google intercepted any ‘contents or meaning’” under California’s Invasion of Privacy Act, the report states. [Bloomberg]

WW – Google Modifies Analytics In EU-Wide Privacy Concession

In a surprise turnaround, Google will begin offering data processing agreements to websites using Google Analytics in the EU, Iceland, Norway and Switzerland. Since 2011, Google has only offered the agreements in Germany, but after pressure from the Article 29 Working Party to make the agreements EU-wide, Google said in a statement, “Over the last few years, Google Analytics customers have asked us to offer data processing agreements that clarify how Analytics data is stored, used and secured. In response to this demand, we’re pleased to provide an optional data processing agreement to Google Analytics customers,” adding, so far, the agreement will only be available in English. The Dutch data protection authority (DPA) has not yet commented, but one privacy expert said the move is significant, adding, “It’s clearly the result of the close coordination of the different DPAs in this case.” Meanwhile, the U.S. Supreme Court has declined a Google Adwords privacy lawsuit. [IDG News Service]

US – Google Wants Wiretap Law Review Before Trial

Google has asked a federal judge for permission to take questions about federal wiretapping laws before a Gmail class-action advances any further. Multi-district claims over Google’s changes to its privacy policy last year have been combined into a single, massive class-action accusing the company of violating federal and state wiretapping, privacy and computer fraud laws. In a recent filing, Google said it wants questions about exceptions to the Electronic Communications Privacy Act answered by the Ninth Circuit before the suit moves forward. [Courthouse News Service]

Health / Medical

US – Texas HSA Tells Providers: Get Certified

The Texas Health Services Authority is encouraging HIPAA-compliance for providers and its call for providers to become privacy and/or security-certified. Citing the potential penalties at the state and federal level—including the Texas Medical Records Privacy Act’s authorization of fines ranging from $5,000 to $1.5 million per violation—the report highlights the authority’s efforts moving forward on a voluntary HIPAA compliance certification program authorized in a 2011 state law. The Health Information Trust Alliance is creating the certification recommendations .[HealthData Management]

US – Tiger Team Hears “Accounting for Disclosures” Testimony

At a hearing before the Health IT Policy Committee’s Privacy and Security Tiger Team on providing patients with information about access to their healthcare data. The hearing on the “Accounting for Disclosures” policy mandated by the HITECH Act included comments from various stakeholders. Patient Privacy Rights’ Deborah Peel “recommended that regulators require health IT developers to provide open access to logs that record every instance a patient’s digital health information is accessed or shared over a network,” the report states, while “doctors, insurers and software developers said such a policy is not feasible.” The committee is currently scheduled to meet October 9. [iHealthBeat]

Horror Stories

WW – Adobe Issues Security Updates for Reader, Acrobat, and RoboHelp

On Tuesday, October 8, Adobe released two security updates for Reader and Acrobat. The first update addresses a memory corruption flaw in RoboHelp 10 publishing software. The second update addresses a regression in Reader and Acrobat that affects Javascript security controls. Both updates are for Windows only. [Internet Storm Center] [SANS Bulletin] [SC Magazine] [CBR online] [InfoSecurity] [Reader and Acrobat]

WW – Attackers Steal Adobe Product Source Code and Access Customer Data

Hackers broke into Adobe’s network where they stole source code for a number of products, including Acrobat, ColdFusion, and ColdFusion Builder. They also accessed customer data, including account login credentials and nearly three million payment card records. The stolen data were stored on the same server used by the criminals who stole data from LexisNexis, Kroll, and Dun & Bradstreet. Adobe believes the attackers accessed the source code repository in mid-August. [Krebs] [CNET] [ArsTechnica] [BankInfoSecurity] Adobe Announcements: [Illegal Access to Adobe Source Code] [Customer Security Announcement] [Internet Storm Center:]

WW –2.9 Million Customers Affected by Cyber-Attack

Adobe has confirmed that 2.9 million customers had private data including passwords and payment card information stolen “during a ‘sophisticated’ cyber-attack on its website,” BBC reports. The illegal access of a variety of products’ source code is also being investigated, the report states. “We deeply regret that this incident occurred,” said Adobe CSO Brad Arkin, adding, “Based on our findings to date, we are not aware of any specific increased risk to customers as a result of this incident.” However, a security expert has told BBC, “Access to the source code could be very serious … if hackers manage to embed malicious code in official-looking software updates, they could potentially take control of millions of machines.” [BBC]

WW – October Shaping Up to Be Month of Innumerable Breaches

PII lost, stolen or compromised through human error. Cybersecurity concerns. Health data lost. Amidst this month’s onslaught of breach reports from across the globe, the world’s premiere search engine is acknowledging just how devastating a breach could be. “If Google were to have a significant data breach today, of any kind, it would be terrible for the company,” Google Executive Chairman Eric Schmidt has said. However, as The Wall Street Journal reports , he has also indicated Google CEO Larry Page “is ‘so wired’ to the risks that it is ‘inconceivable’ that a major data loss would occur.” In this exclusive for, we round-up an already very busy month in data breaches and responses. [The Privacy Advisor] Amidst last week’s reports of a hack affecting 2.9 million customers, Adobe is resetting relevant customer passwords and “notifying customers whose credit or debit card information may have been compromised.” Meanwhile, in the wake of privacy concerns about the reuse of inactive Yahoo e-mail addresses, PCWorld reports on Microsoft’s recycling of old addresses . And from medical data to personal information, breaches are being reported across the globe. In the UK, human error resulted in the exposure of hundreds of personal e-mail addresses, while the Information Commissioner’s Office has revealed that despite prior warnings, sensitive personal data was “incorrectly handled” by Luton Borough Council staff. In Ireland, The Journal reports on 11 patient data breaches at hospitals in a six-month period. And in the U.S., North Carolina-based CaroMont Health exposed about 1,300 patients’ data in an unsecure e-mail, and Natural Provisions, a Vermont grocery store chain, has agreed to pay $30,000 to settle a violation of state data breach laws. [Mondaq]

US – School District, Health-Related Breaches Reported

A New Orleans teachers’ union claims the East Baton Rouge Parish school system violated its employees’ privacy rights when it purchased a full-page ad to congratulate—by name—1,113 educators, The Advocate reports. In Illinois, a local hospital is alerting some of its patients of a possible data breach after a laptop was stolen from an employee’s car. In California, a public health unit is notifying almost 600 patients that their protected health information has been compromised after a laptop was stolen there. And in Iowa, law enforcement is investigating a breach of electronic medical records after a third-party company gained access to the system using an authorized user’s password. Meanwhile, healthcare experts have been discussing concerns related to the need to share veterans’ healthcare data and recent breaches at Veterans Affairs. [Full Story]

Internet / WWW

US – Ad Groups Working on New Tech for Opt-Out

With the W3C’s efforts on Do Not Track moving along again with a call October 9, The San Francisco Chronicle details work by the Digital Advertising Alliance and the Interactive Advertising Bureau to develop technology that would allow consumers to opt out of online tracking “when methods other than traditional cookies are deployed.” The article focuses on a firm called BlueKai, which develops technology for data transfer independent of cookies, but with “the same transparency and notices that cookies have.” [Full Story]

US – Silk Road Bust Shows Feds Penetrating Deep Internet Anonymity

The bust this week of the notorious online entrepreneur Dread Pirate Roberts, now known to be Ross William Ulbricht, a 29-year-old from San Francisco, CA, and the closing of his Silk Road online marketplace for illicit drugs and other sundries, shows U.S. law enforcement is infiltrating ever deeper into the “Deepnet” or “hidden Internet.” Silk Road operated on the Tor anonymity network and was used by thousands to get home deliveries of everything from cocaine to fake passports. Because of Tor’s ability to shield IP addresses and online personas, it can be difficult to uncover the identities of those running these kinds of marketplaces that are hidden from the vast majority of Internet users. In this case, it may be that Ulbricht was undone by his use of a Gmail address. [CSO Online]

US – “Big Data” Likened to Atomic Power and Other NSA-Related News

A scientist suggests that Big Data is akin to atomic energy in that “it’s very beneficial when used ethically and downright destructive when turned into a weapon.” Meanwhile, in its ongoing series examining the digital trails we leave behind “and who potentially has access,” NPR considers whether the Fourth Amendment provides any protection. And a Tech Dirt feature focuses on 2013 IAPP Vanguard Award winner and former Department of Homeland Security (DHS) CPO Mary Ellen Callahan, founder and chair of Jenner & Block’s Privacy and Information Governance Practice. The report cites Callahan’s comments in support of protecting Americans’ privacy rights amidst what its author references as a “lack of respect for privacy in both (DHS) and the wider intelligence community.” [TechDirt]

Law Enforcement

CA – Police Consider Wearable Cameras

The Toronto Police Service is considering wearable cameras for its police force. The aim of the wearable cameras is to provide the police and the public with better accountability. Deputy Chief Peter Sloly said the force is in the process of researching the cameras and understanding the potential logistical factors. “We’ll have to look at the IT supports,” he said, “the governance—there’ll be privacy issues.” The cameras would potentially be worn on glasses to record incidents from the officer’s view. A representative from the Canadian Civil Liberties Association has expressed concern over the technology, saying that “if you have all these things on your databases, what are the other potential uses of this? Have they thought this through?” [The Globe and Mail]

Location

US – Advertisers Finding New Ways to Track Mobile Users

New trends in mobile tracking—even if “tracking is a dirty word” now, according to Eric Rosenblum, COO at Drawbridge, a start-up that is “observing your behaviors and connecting your profile to mobile devices.” Thus, advertisers are now able to connect desktop browsing with mobile devices based on app downloads and other indicators. Other firms, like Flurry, Velti and SessionM are doing similar work in helping advertisers like Ford, American Express and Expedia better target potential customers, according to the report. For many advertisers, the report says, “cookies are becoming irrelevant.” [The Boston Globe]

WW – Indoor Location Market Set to Boom; Privacy Concerns Loom

Steve Smith writes that one of the upcoming battlegrounds in the mobile sphere “is not over accessing everyone everywhere but over very specific places and the people moving within them,” adding, “The indoor location market is suddenly about to boom.” According to ABI Research, within the next year there will be at least 25,000 mapping and indoor location technology installations across the globe as well as the handsets supporting such technology. An ABI director wrote, “Apple hasn’t made a big marketing deal on indoor with the new iPhone 5s, largely because the ecosystem isn’t in place yet.” But within the phone there “is a hardware platform that is now well-placed to support ‘always-on’ indoor location, sensor fusion and ambient intelligence.” Meanwhile, Apple’s new iOS7’s tracking capabilities—particularly its “Frequent Locations“ function—and the new iPhone’s motion sensor chip are raising privacy concerns. [MediaPost]

WW – Bolstering Brick-and-Mortar Transparency

Improved technology now allows brick-and-mortar retailers to collect data—including location and contacts—from customers’ smartphones, but according to research conducted by Create with Context (CwC), only 33% of the customers surveyed were aware of such collection. Previous research has revealed that when customers are unaware of such data collection—but then find out about it later—trust erodes. “How, then,” Ilana Westerman and Gabriela Aschenberger, both of CwC, ask, “can businesses create transparency around data collection?” [Full Story]

WW – App Tracks Consumers in Exchange for Discounts

A new shopping app tracks consumers and gives them discounts based on their location. Capable of detecting microlocation—detecting such minute details as the aisle of a store in which a consumer is standing—it communicates with the Bluetooth in users’ cellphones and alerts them to tailor-made discounts. The app’s investors and CEO “are betting on the fact that consumers won’t mind tracking if they get a significant payback from it,” the report states. The app raised $8 million in venture capital Tuesday. [Blouin News]

Online Privacy

WW – Facebook No Longer Lets Users Hide from Search

Facebook has announced the final phase of removing an old privacy feature from the site. The feature, called “Who can look up your timeline by name?” allowed users to be hidden from searches if they so chose. Those users will now begin to see removal notices from Facebook. Now, user “timelines” will only be private when marked to be seen by “friends only.” Facebook says only a single-digit percentage of users on its network were using the setting. [USA TODAY]

EU – Privacy Group Receives Facebook Response

Privacy activist group Europe-v-Facebook has received responses from Facebook to complaints about the company’s privacy policy, but the Irish Data Protection Commissioner (DPC) said the group was barred from releasing them, Computerworld reports. According to the group’s website, however, the DPC has clarified its decision and will allow the group to publish the 200-page response. The group originally filed the complaints with Facebook two years ago, claiming the social network’s privacy policies violate European data protection law. “After two years of constant battling, we finally received the ‘counterarguments’ by Facebook,” wrote Europe-v-Facebook, which now has until October 17 to comment on Facebook’s responses. The DPC will circulate a draft of its decision in the case prior to publishing its final decision. [Full Story]

WW – W3C Do Not Track in Limbo

The W3C’s Tracking Protection Working Group voted on whether to continue its efforts. The results? That remains unclear. The voting itself is public and can be found here. However, even one of the group’s new chairs isn’t sure how to interpret the results. With no option clearly the winner, the Center for Democracy and Technology’s Justin Brookman, who joined the group as chair just last month , said he is unsure of the group’s next step, adding W3C Director Tim Berners-Lee would make the ultimate decision. [The Privacy Advisor]

WW – W3C to Vote on DNT Effort

Web standards group the World Wide Web Consortium is set to vote Wednesday on whether it will continue with its Do-Not-Track (DNT) standard. Justin Brookman, the group’s newly appointed co-chairman, said he expects stakeholders “will express a desire to move forward,” adding, “We’ve had a couple of calls under the new leadership now, and so far the new structure seems to be working.” If the group expresses a desire to not move forward, Brookman said it would be “better to end it now than spend another two years squabbling and not coming to a resolution because people aren’t invested in the process.” The Washington Post reports that the increasing move by consumers to mobile will likely make current cookie-based DNT technology less relevant. According to several surveys, the majority of users now surf the web via mobile apps rather than browsers. [The Hill]

WW – Facebook Changes Teen Privacy Rules

Facebook has announced it has changed its privacy rules for teenagers allowing them to now “post status updates, videos and images that can be seen by anyone, not just their friends or people who know their friends.” Those between the ages of 13 and 17 will have their sharing default set to “friends,” but they will receive a notice of their options. The move is prompting concerns that while the changes have been described as giving teens “more choice, big money is at stake for the company and its advertisers,” a report by The New York Times states. Author Emily Bazelon cautions, “It’s risky to have teenagers posting publicly. The kids who might be the most likely to do that might not have the best judgment about what they post.” [Facebook]

US – DMA Releases Study Touting Data-Driven Job Production

The Direct Marketing Association (DMA) has released a study indicating data-driven marketing led to 675,000 jobs in the U.S. in 2012. The study responds to an increasing focus on regulating online tracking and data-driven marketing, a push that often puts the online ad industry on the defensive. The DMA’s Rachel Thomas said the study’s release aims to help change that. Meanwhile, the Better Business Bureau says “a ‘significant minority’ of publishers don’t follow self-regulatory rules requiring enhanced notice about data collection,” MediaPost reports. [The Hill]

US – Data-Mining App Receives $10M in Funding

Refresh, a mobile app mines data of individuals present at meetings by gleaning information from social networks and other publicly available sources, and how the app has just received $10 million in venture capital. Refresh founder Bhavin Shah said, “It’s common now for each of us to have 10-plus years of posts, tweets, job history, Q&A, check-ins, etc. Now is the right time to start leveraging that fragmented information to make us more thoughtful and intelligent about our friends, colleagues and everyone we meet.” He added that Refresh’s work “allows us to anticipate who you’re going to meet today and consolidate interesting information about them into a just-in-time dossier delivered to your smartphone.” [Fast Company]

Other Jurisdictions

AU – OAIC Releases Best Practice Guide for Apps

The Office of the Australian Information Commissioner (OAIC) has unveiled a guide to help mobile app developers embed better privacy practices into their products. Mobile Privacy: A Better Practice Guide for Mobile App Developers recommends developers use short privacy notices. Privacy Commissioner Timothy Pilgrim said app developers should adopt a Privacy-by-Design approach. “The mobile apps that take privacy seriously will be the ones that stand out from the crowd and gain user trust,” he said. A ZDNet report, however, suggests, “Short of enforcing privacy laws on app store curators, it is doubtful that the developers will implement the otherwise worthy privacy protections.” Meanwhile, the OAIC’s 2013 Community Attitudes to Privacy Survey, which will be released in full on 9 October, indicates six in 10 Australians choose not to use smartphones apps due to privacy concerns. [TechWorld]

AU – Gov’t Urged to Rewrite Terms of Reference

The federal government has been urged to rewrite the terms of reference for its inquiry into privacy law. The terms of reference were drawn up by former Attorney-General Mark Dreyfus and require the commission “to produce detailed plans for a privacy tort or statutory cause of action,” the report states. The commission is expected to publish an issues paper next week based on those terms of reference, the report states. In the last six months, it has become clear “the major threat to privacy is the role of the state,” said Media Entertainment and Arts Alliance Secretary Chris Warren, adding that large data aggregators are going to be a key issue moving forward. [The Australian]

ZB – Zimbabwe Passes Centralized SIM Card Database

The Statutory Instrument 142 of 2013 on Postal and Telecommunications (Subscriber Registration) Regulations 2013 establishes a central database of information about all mobile telephone users in the country based on powers granted through the Interception of Communications Act. The Statutory Instrument requires telecommunications providers to establish a subscriber database of all SIM card holders including phone numbers, names, addresses, genders, nationalities and passport or ID numbers, then regularly submit copies to the government, which will create its own central subscriber information database. [Kubatana]

Privacy (US)

US – Markey Urges FTC to Vet Tracking Technologies

Sen. Ed Markey (D-MA) has called on the FTC to investigate technologies that allow companies to track users across multiple devices. “Such persistent and pervasive tracking raises a number of important privacy concerns for all Americans,” Markey said in a letter to the FTC Thursday. Meanwhile, a new report from privacy researchers indicates many websites are using new technology to secretly track users’ browsing habits. At the EmTech 2013 conference in Cambridge, MA, this week, a senior advisor to Microsoft CEO Steve Ballmer said a new privacy model is needed to address the ways data is gathered, eWEEK reports. [The Hill]

US – Airbnb Says “Nay” to AG’s Request for Data

New York State Attorney General (AG) Eric Schneiderman demanded that apartment-sharing site Airbnb release user data on 15,000 New York City apartment hosts to investigate the legality of the site, but Airbnb has filed a motion in the New York State Supreme Court objecting to the AG’s demands. In a statement, an Airbnb spokesman said, “The subpoena issued by the attorney general last Friday goes well beyond bad actors and demands information about thousands of regular Airbnb hosts in New York. So, we made it clear to the attorney general’s office from the very beginning that we would never agree to this type of government-sponsored fishing expedition.” [Business Insider]

US – Hulu Seeks Dismissal of VPPA Case

Hulu is seeking dismissal of a lawsuit accusing it of violating the federal Video Privacy Protection Act (VPPA) “on the grounds that the web users who filed suit didn’t suffer any injuries,” MediaPost News reports. Hulu is facing a potential class-action for allegedly violating the law “by revealing information about their movie-viewing history to comScore and Facebook,” the report states. But in court papers filed Wednesday, Hulu contends that the law specifies those who are “aggrieved” by violations may seek damages. “Congress could have worded the VPPA to provide monetary relief merely on a showing of an improper disclosure,” Hulu’s motion states. “But it did not do so.” [Full Story]

US – One Class-Action Dismissed; Another Dismissal Sought

A class-action suit against an ISP that partnered with ad targeting company NebuAd back in 2008 has been dismissed by an Illinois federal judge, while Symantec is seeking a dismissal of an unrelated class-action. In the NebuAd-related case, U.S. District Judge Edmond E. Chang has ruled that ISP WideOpen West Finance LLC “faces no liability” under privacy laws. In the Symantec case, the company has asked a California federal judge “to toss a user’s amended proposed class-action accusing the software company of concealing a data breach by hackers who stole source code, calling the user’s claims vague and deliberately obtuse,” the report states. [Law 360]

US – Group Presses for Safeguards on the Personal Data of Schoolchildren

Common Sense Media is calling for the educational technology software industry “to develop national safeguards for the personal data collected about students from kindergarten through high school.” In a letter sent to 16 educational technology vendors, the advocacy group urged that student data be used “only for educational purposes and not for marketing products to children or their families.” Common Sense Media CEO James P. Steyer said, “We believe in the power of education technology, used wisely, to transform learning … But students should not have to surrender their privacy at the schoolhouse door.” [The New York Times]

US – State AG: Federal Breach Law? No Way

Amidst the ongoing U.S. government shutdown, representatives from state AG offices taking part in the literarily titled panel discussion “The Widening Gyre of State AGs” at this week’s IAPP Privacy Academy were asked whether there should be one all-encompassing federal data breach notification law. In this exclusive for The Privacy Advisor, Sam Pfeifle reports on their reactions. As Vermont AG William Sorrell put it, “You’d like to have this organization, the U.S. Congress—upon which, what, eight percent of Americans look favorably—you want us to say, ‘Oh, yes, we’re going to trust that body of public servants to do what’s right for our states’ citizens?’ No way.” [Full Story]

US – Callahan Named Vanguard; Innovation Award Recipients Announced

And the 2013 Privacy Vanguard Award goes to Mary Ellen Callahan, former chief privacy officer of the U.S. Department of Homeland Security. Announced Tuesday evening at the annual IAPP Privacy Dinner held in conjunction with the IAPP Privacy Academy in Seattle, WA, Callahan, who is founder and current chair of Jenner & Block’s Privacy and Information Governance Practice, was praised for her visionary leadership and extensive work in consumer protection law. Also at the Privacy Dinner, this year’s HP-IAPP Privacy Innovation Awards recipients were announced. Johnson & Johnson, Canadian Primary Care Sentinel Surveillance Network and Considerati were honored for their unique programs. [Full Story]

US – Advocates Call for Open Talks, Warn NSA Weakening Cybersecurity

A group of privacy advocates is warning that attempts by the U.S. National Security Agency (NSA) to weaken encryption for surveillance access will create mistrust in U.S.-based Internet companies around the world. Alan Davidson, a visiting scholar at the Massachusetts Institute of Technology and former Google public policy director, said for U.S. businesses, it is “terribly debilitating and undermining to have the rest of the world thinking there have been backdoors built into their systems to help the U.S. government.” The developments will also erode trust in the U.S. National Institute of Standards and Technology because of reports the standards group aided the NSA in tampering with the standards. Meanwhile, six privacy advocacy organizations are calling on the U.S. House of Representatives Privacy Working Group’s leaders to open up its meetings with tech companies to the public. [PC World]

US – One Class-Action Dismissed; Another Dismissal Sought

A class-action suit against an ISP that partnered with ad targeting company NebuAd back in 2008 has been dismissed by an Illinois federal judge, while Symantec is seeking a dismissal of an unrelated class-action. In the NebuAd-related case, U.S. District Judge Edmond E. Chang has ruled that ISP WideOpen West Finance LLC “faces no liability” under privacy laws. In the Symantec case, the company has asked a California federal judge “to toss a user’s amended proposed class-action accusing the software company of concealing a data breach by hackers who stole source code, calling the user’s claims vague and deliberately obtuse,” the report states. [Law 360]

US – Eggers Book Satirizes Threat to Privacy

Dave Eggers’ book The Circle, satirizes the threat to personal privacy from technology giants. “Entertained at nightly campus events by famous musicians and artists, fed by celebrity chefs and bombarded by swag, employees of the Circle corporation are expected to bask in their mutual privilege through constant oversharing in the company’s thriving social networks,” the report states. The book’s protagonist, through incentives, begins living a fully transparent life online, delivering Eggers’ message that “too many of us flock to the Internet all too willing to abandon any sense of privacy around both our personal information and our inner lives.” The New York Times  wonders if the novel will change the way we use technology. [The Associated Press]

US – Student Data Repository Debate Continues

The New York Times reports on the ongoing questions surrounding school district plans to outsource student data storage and the privacy implications. The article focuses on how a Colorado superintendent saw nonprofit data repository inBloom as a fix for managing data currently in multiple databases in the cloud. But “a series of parents, school board members and privacy lawyers assailed the plan to outsource student data storage to inBloom.” Among those who voiced concerns was EPIC’s Khaliah Barnes, who said, “While we understand the value of data for promoting and evaluating personalized learning, there are too few safeguards for the amount of data collected and transmitted from schools to private companies.” The district is expected to decide on the plan by January, the report states. [New York Times]

US – Rosenthal Is NAI’s New General Counsel, VP

The Network Advertising Initiative (NAI) has announced that longtime member company representative Noga Rosenthal has joined the NAI as its general counsel and vice president of compliance and policy. Rosenthal, who was formerly the senior vice president of 24/7 Media and Media Innovation Group, LLC, “will assist the NAI in its core mission of reinforcing responsible business and data management best practices through the development and rigorous enforcement of high standards.” “With online advertising expanding every year and the role of third parties and the technologies they employ highly debated by lawmakers and industry representatives, it is an incredibly important time to be joining the NAI team,” Rosenthal said. [Ad Ops]

US – AGs: We Aren’t Afraid to Flex Our Muscles

Representatives from the offices of three state attorneys general (AGs) said they aren’t reluctant to bring actions against companies involved in data breaches. Vermont Attorney General William Sorrell said AGs would bring such action to “serve as an example to other companies and … to have a relatively equal playing field.” Joanne McNabb of the California AG’s office pointed to the recent creation of a privacy unit under California AG Kamala Harris as proof of privacy’s importance to the state. [Bloomberg]

US – Hulu Seeks Dismissal of VPPA Case

Hulu is seeking dismissal of a lawsuit accusing it of violating the federal Video Privacy Protection Act (VPPA) “on the grounds that the web users who filed suit didn’t suffer any injuries.” Hulu is facing a potential class-action for allegedly violating the law “by revealing information about their movie-viewing history to comScore and Facebook,” the report states. But in court papers filed Wednesday, Hulu contends that the law specifies those who are “aggrieved” by violations may seek damages. “Congress could have worded the VPPA to provide monetary relief merely on a showing of an improper disclosure,” Hulu’s motion states. “But it did not do so.” [MediaPost News]

Privacy Enhancing Technologies (PETs)

WW – Cyber security: Privacy experts profit from Prism uproar

A burgeoning privacy-enhancing technology business and the rising profits is stemming from Edward Snowden’s surveillance disclosures. Businesses and governments, in addition to journalists, are demanding encryption services for protection. Silent Circle, which offers text and phone encryption services, is used by 16 of the Fortune 50 companies. Silent Circle CEO Mike Janke said, “We were growing 100% a year before the NSA/PRISM scandal; now we are growing at 400%.” He added, “Ten years ago, if you had encryption on a device, people asked what you are hiding. Now if you’re a businessperson and you don’t have it, people ask if you’re stupid.” Capital is also being invested in the privacy tech industry. All Things D reports that privacy startup Personal, which offers a digital vault service, has raised $4.5 million. According to USA Today, Yahoo will begin default encryption services in January. [Financial Times]

Security

WW –Shortage of Cyber Security Professionals Felt Worldwide

Countries around the world, including the US, the UK, Brazil, and Indonesia, are establishing cyber forces to help defend critical networks from attacks. However, there are not nearly as many qualified specialists as are needed. The governments are also facing competition from private industry for the scarce resources; private industry offers higher salaries. Most universities are not graduating high numbers of students with necessary skills, and the coursework is more theoretical than practical. Hacking contests around the country are designed to identify people who have a talent in the area, and to raise awareness of the need for talented specialists. [NBCNews] [Japan Needs 80,000 Infosec Professionals]

US – Voluntary Exec Order Cybersecurity Standards Are Baseline Expectations

US companies that do not comply with voluntary cybersecurity standards being developed under the White House Executive Order could find themselves facing liability risks. While the standards will be voluntary, organizations that do not adopt them may face negligence, shareholder, and breach of contract lawsuits if they suffer a breach. The EO standards advise organizations to identify the most valuable data and classify them. The Information Week article points out that, “There is a major difference between being ‘compliant,’ and being ‘secure'” and that securing data is not an endgame – it’s a posture. Defenses built to protect the data must be monitored. The release has been delayed because of the government shutdown. The government will take public comment on the draft standards until February 2014. [Information Week] [ComputerWorld]

BR – Brazil Plans Secure Government eMail System

The Brazilian government has given the country’s Federal Data Processing Service (Serpro) the job of creating a secure email system to protect the government’s electronic communications from being intercepted by foreign intelligence agencies. According to leaked NSA documents, various intelligence agencies have electronically spied on Brazilian citizens, government officials, and the country’s national oil company, Petrobras. [CpomputerWorld]

Surveillance

US – Are Providers Outside the U.S. Safer from Gov’t Intrusion?

The National Security Agency’s (NSA) harvests hundreds of millions of contact lists from personal e-mail and instant messaging accounts around the world. Each day, the NSA collects contacts from about 500,000 buddy lists and web-based e-mail accounts, the report states. Meanwhile, Solicitor General Donald Verrilli has asked Supreme Court justices not to hear the Electronic Privacy Information Center’s case asking for an immediate shutdown of NSA phone surveillance of Americans. In San Francisco, tech company BitTorrent has owned up to defacing its own billboards in order to capitalize on privacy fears following NSA revelations. And a U.S. appellate court has unsealed a set of documents pertaining to Lavabit, whose founder resisted government pressure for access to it. Ars Technica says, despite NSA revelations, foreign e-mail providers may not be any safer from government intrusion than those based in the U.S. [Washington Post]

US – NSA Attempts to Crack Tor Are (Mostly) Unsuccessful

According to leaked documents, the NSA attempted to monitor targets using Tor by exploiting vulnerabilities in Firefox. NSA and its UK counterpart, GCHQ, have been trying for some time to crack Tor. Short for The Onion Router, Tor is an online anonymization service that helps users hide their identities and their online activity by routing encrypted traffic through other computers, which are volunteered by those machines’ owners. One of the attempts to break Tor involved infecting the computers of Tor users. The report indicated that the NSA has been unsuccessful in decrypting Tor communications but had managed to “de-anonymize a very small fraction of Tor users.” [BBC] [Guardian] [Schneier] [Ars Technica]

US – Privacy Fears Grow as Cities Increase Surveillance

Increased use by local law enforcement agencies of Big Data surveillance technology are raising corresponding privacy concerns. Particularly, the city of Oakland, CA, recently received $7 million in federal funding to help fight terrorism at its major port. The money, according to the report, is being used for a police initiative including the purchase of gunshot-detection sensors in East Oakland and license plate scanners in police cars. Federal money is also supporting similar initiatives within the New York Police Department, including a system that links more than 3,000 surveillance cameras with license plate readers, radiation sensors, criminal databases and terror suspect lists. Oakland City Councillor Libby Schaaf said “it’s our responsibility to take advantage of new tools that become available,” but added that the system could “paint a pretty detailed picture of someone’s personal life, someone who may be innocent.” [The New York Times]

Telecom / TV

US – New TCPA Rules in Effect

The Federal Communications Commission’s revisions to the Telephone Consumer Protection Act (TCPA) went into effect October 15. The revisions require businesses to obtain express written consent before telemarketing and advertising through autodialed calls or text messages to consumer cellphones and prerecorded calls to residential phone lines. The revisions eliminate the exemption allowing firms to make prerecorded calls to a residential phone line if a pre-established relationship with the consumer existed. Punishment for violations of the new rules “can reach as high as $1,500 per violation (on a per call basis),” the alert states. [Covington & Burling client alert]

US Government Programs

US – TSA’s “Pre-Check” Raising Concerns

The Transportation Security Administration (TSA) Pre-Check program, which is due to formally launch this fall, “will already have the enthusiastic endorsement of frequent travelers—and an equally enthusiastic denouncement from privacy advocates.” The Pre-Check “trusted travelers” program may allow enrollees to bypass airport security lines, but it has privacy advocates pointing out that even those who pay the fee to enroll have no guarantee they’ll be included and those who are excluded may not be told why. “If you sign up, you’ll want to keep your nose clean for the rest of your life,” noted the Center for Democracy & Technology’s Gregory Nojeim, “because that’s how long the FBI will keep your fingerprints.” [The Washington Post]

US – FISC Approves NSA’s Request to Renew Phone Metadata Collection

The US Foreign Intelligence Surveillance Court has reauthorized the NSA’s phone call metadata collection program. The previous authorization order expired on October 11. News of the reauthorization was disclosed in a press release from the Office of the Director of National Intelligence. [ArsTechnica] [The Hill] [DNI Press Release]

US – Judge: Intelligence Director Withheld Docs Properly

A federal judge has ruled the director of national intelligence properly withheld documents related to how his office uses databases to fight terrorism. The Electronic Privacy Information Center filed suit in Washington, DC, after obtaining documents via a Freedom of Information Act request with the Office of the Director of National Intelligence on how the National Counterterrorism Center gets information from other federal agencies, the report states. Meanwhile, Director of the National Security Agency (NSA) Gen. Keith Alexander said the NSA must regain consumer and industry trust . In an opinion piece for Aljazeera America, Dan Froomkin opines that what’s needed is not promises from politicians but a public discussion of what privacy means in this new era. [Courthouse News Service]

US – General Alexander’s Scope of Influence Raises Concerns

NSA Director General Keith Alexander also heads the US military’s Cyber Command. Some have expressed concern about Alexander’s dual roles. The Brookings Institute’s Peter Singer said that it “blurs the lines between a military command and a national spy agency.” Alexander defends the breadth of his influence, saying, “We all operate on the same network. You create more problems by trying to separate them and have two people fighting over who’s in charge.” Jason Healey director of the Atlantic Council’s Cyber Statecraft Initiative said. “We’re allowing the same commander to tell us how bad the problem is and propose and implement solutions to fix it.” [WashPost]

US – Proposed Legislation Would Reform Foreign Intelligence Surveillance Court

Two US legislators are sponsoring a bill that would reform the Foreign Intelligence Surveillance Court (FISC). The proposed legislation is a companion bill to one introduced in the Senate earlier this year. Among its provisions are the creation of an Office of the Constitutional Advocate to argue for civil liberties during court proceedings and a requirement that the Attorney General declassify or summarize certain FISC decisions. [WashPost]

US – NSA Admits to Cellphone Location Data Gathering Pilot

The NSA has acknowledged that in 2010, it initiated a test project to collect wholesale cellphone location data on regular citizens, but ended the program in 2011 because it did not provide “operational value.” NSA director General Keith Alexander said on Wednesday, October 2, that sample cellphone location data were collected “to test the ability of [the NSA’s] system’s to handle the data format, but that data was not used for any other purpose.” Alexander had evaded answering a question about the subject last week in a hearing. Senator Ron Wyden (D-Oregon) suggested that there is still “significant information” that has not been disclosed. [WashPost] [Register]

US – More Privacy Victims of the Govt. Shutdown

Groups tasked with U.S. intelligence oversight have suffered a setback at the hands of the U.S. federal government shutdown. According to a Politico report, the five-member Review Group on Intelligence and Communications Technologies, the independent surveillance oversight board created by President Barack Obama to respond to criticisms of the National Security Agency’s activities, met with Congressional intelligence leadership on Tuesday, but member Michael Morell, former director of the CIA, declined to take part, saying it was inappropriate in light of the shutdown. Then, on Friday, the Review Group’s staff was furloughed by the Office of Director of National Intelligence James Clapper. The volunteer board is free to meet, but all travel funds, etc., are frozen. Similarly, the Privacy and Civil Liberties Oversight Board was supposed to hold a public hearing Friday on proposals for changing surveillance programs but postponed the session because witnesses were unable to appear. Roughly 70% of the intelligence community in the U.S. is currently on furlough. Meanwhile, some are questioning why the FTC, for example, has chosen to cut off all access to its website during the shutdown. [Full Story]

US Legislation

US – Citing “Failure of Oversight,” Patriot Act Author Sponsors Reform Bill

US Representative James Sensenbrenner (R-Wisconsin), who authored the original Patriot Act in the days following the September 11 attacks, is displeased with how the legislation has been used to justify the NSA’s data harvesting programs. Sensenbrenner is introducing legislation with co-sponsors Senator Patrick Leahy (D-Vermont) and Representative John Conyers (D-Michigan) to try to address concerns over how the law has been used. The USA Freedom Act restricts aspects of the Patriot Act’s controversial section 215 so it will be used more narrowly, in line with the original intent of the law. The bill also introduces changes to the FISC, including creating the position of public advocate to appeal court decisions that appear to violate the law, and allowing companies that have been served with the orders to specify the number of FISA orders and NSLs (national security letters) they have received and complied with. [WashPost]

US – White House Pursuing Online Privacy Bill

Now 18 months out from President Barack Obama’s unveiling of a proposal for a Privacy Bill of Rights, Politico reports that the White House is actively working on legislation that would “boost online privacy safeguards for consumers.” According to the report, the bill would define privacy rights, convene further multistakeholder approaches to defining standards and give the FTC authority to enforce codes of conduct. The Commerce Department is helping to draft the legislation, according to the report, and Rep. Lee Terry (R-NE), chairman of the House Energy and Commerce Subcommittee, has been approached about helping to shepherd the bill through Congress. The Internet Association, Direct Marketing Association and others are lining up to make sure their voices are heard. Urgency is lent by continuing NSA revelations, such as today’s news that the National Security Agency used a Firefox flaw to target users of the anonymous Tor network. [Full Story]

US – CalOPPA Introduces New Disclosure Requirements

On September 27, Gov. Jerry Brown signed into law California Assembly Bill 370, which amends the California Online Privacy Protection Act requiring businesses to disclose how they respond to Do-Not-Track (DNT) signals. The new law, which may effectively apply to any website or mobile app in the world, is the first to officially address the DNT mechanism endorsed by the Federal Trade Commission and debated by industry. While the disclosures required under the new law appear straightforward, they present formidable compliance challenges for covered businesses given that they mandate the implementation of standards and concepts that are not well settled in law or practice. [Full Story]

US – California Continues to Shape Privacy and Data Security Standards

With news that Gov. Jerry Brown has signed into law the first Do-Not-Track (DNT) legislation in the country, it’s clear that California is once again out in front of privacy law here in the U.S. The Hogan Lovells Privacy Team analyzes how California has led the way in the past, where the state is likely to head and what you need to know about the new DNT legislation and the way it’s likely to be implemented. [Privacy Tracker]

US – Montana Gun Owner Healthcare Privacy Law Goes Into Effect

As of October 1, healthcare providers—including psychological practitioners—are no longer allowed to ask patients about gun ownership, possession or use. HB 459, now Montana law at 50-16-108, M.C.A., aims to address gun owners’ concerns that medical records could be used to collect and centralize information about gun ownership. [Fairfield Sun Times]

US – DoJ, Oklahoma Rep. Considering Drone Regulations

A new report from the Office of the Inspector General (OIG) recommends that the Department of Justice look into creating rules for law enforcement’s use of drones. The OIG’s recommendation follows an audit of drone use by the FBI, Bureau of Alcohol, Tobacco, Firearms and Explosives, Drug Enforcement Administration and U.S. Marshals Service. Meanwhile, Oklahoma Rep. Paul Wesselhoft (R-Moore) is teaming up with the American Civil Liberties Union to come up with privacy laws surrounding the use of drones by the government. [The Verge]

US – Will Voters Support “Presumption of Harm” in Breach Cases?

Julian D. Perlman of BakerHostetler examines California’s move toward “amending its Constitution to create a presumption of harm whenever personal data is shared without a consumer’s express opt-in, a change that would clear a significant hurdle to many privacy breach lawsuits.” Perlman writes of California Secretary of State Debra Bowen’s approval of the necessary steps to bring the Personal Privacy Protection Act to California voters, noting it “would create presumptions that an individual’s personally identifying information is confidential when collected for a commercial or governmental purpose and that individuals are harmed whenever that personal data is shared without his or her express opt-in,” bringing California closer to the EU’s data collection and sharing approach. [Mondaq]

US – Telemarketing Rules Go Into Effect this Month

The Federal Communications Commission telemarketing rules go into effect on October 16. The rules require companies to gain express consent before calling consumers with prerecorded messages or “robocalling” wireless numbers, the report states. Consent must be written and include the number and signature of the consumer. While an electronic signature is acceptable, the agreement must also state that consent is not required “as a condition of purchasing any property, goods or services.” [Privacy and Security Matters]

US – State AG: Federal Breach Law? No Way

Amidst the ongoing U.S. government shutdown, representatives from state AG offices taking part in the literarily titled panel discussion “The Widening Gyre of State AGs” at the IAPP Privacy Academy were asked whether there should be one all-encompassing federal data breach notification law. Sam Pfeifle reports on their reactions. As Vermont AG William Sorrell put it, “You’d like to have this organization, the U.S. Congress—upon which, what, eight percent of Americans look favorably—you want us to say, ‘Oh, yes, we’re going to trust that body of public servants to do what’s right for our states’ citizens?’ No way.” [The Privacy Advisor]

US – Revenge Porn Law Doesn’t Go Far Enough: Opinion

On Tuesday, Gov. Jerry Brown continued California’s trailblazing in privacy law by signing into law the country’s second “revenge porn” law (New Jersey was first), “levying possible jail time for people who post naked photos of their exes after bitter breakups.” However, writes Emily Bazelton, the bill doesn’t go far enough. “It makes it a misdemeanor offense to post revenge porn only if a prosecutor shows that the poster intended to inflict emotional distress, rather than treating the act of posting a sexual photo without consent as an objectively harmful invasion of privacy. And the punishment wouldn’t apply if the subject of the photo took the picture herself, which means it wouldn’t help people whose exes persuaded them to hand over photos as a sign of trust.” [Slate]

US – Will Voters Support “Presumption of Harm” in Breach Cases?

Julian D. Perlman of BakerHostetler examines California’s move toward “amending its Constitution to create a presumption of harm whenever personal data is shared without a consumer’s express opt-in, a change that would clear a significant hurdle to many privacy breach lawsuits.” Perlman writes of California Secretary of State Debra Bowen’s approval of the necessary steps to bring the Personal Privacy Protection Act to California voters, noting it “would create presumptions that an individual’s personally identifying information is confidential when collected for a commercial or governmental purpose and that individuals are harmed whenever that personal data is shared without his or her express opt-in,” bringing California closer to the EU’s data collection and sharing approach.[Mondaq]

Workplace Privacy

WW – Report: Most Breaches Come From the Inside

A new report reveals that the most common cause of a data breach within an organization stems from inadvertent misuse of data by employees. Conducted by Forrester Research, the report, Understand the State of Data Security and Privacy , surveyed organizations from Canada, France, Germany, the UK and the U.S. with two or more employees. Approximately 42% of small- to medium-sized organizations surveyed had received some sort of internal data protection training. Forrester Analyst Heidi Shey, author of the report, said, “A lot of organizations haven’t invested in a dedicated privacy group or function,” and many IT departments have privacy as an extra layer, adding that, moving forward, organizations may conclude they need a dedicated privacy group. Meanwhile, startup Lookout is stepping into the bring-your-own-device arena by offering an app that bolsters smartphones against data breaches. [PC World]

+++

 

 

16-30 September 2013

Biometrics

US – Homeland Security Testing Facial Recognition At Hockey Game

The Department of Homeland Security will test facial recognition software capabilities at a September 21 hockey game in the state of Washington. The Tri-Cities Toyota Center can seat 6,000 fans. Twenty specific faces will be sought by the technology, called the Biometric Optical Surveillance System (BOSS). A privacy impact assessment in 2012 found the technology was capable of capturing images of an individual from 50 to 100 meters away and can be set up to track an individual as he or she moves. Fans will be allowed to opt out and sit in an area without cameras; no names will be collected, and only government researchers will see the images, the report states. [Computerworld]

WW – Facedeals to Use Facial Recognition for Targeted On-Site Advertising

Facedeals CEO Dave McMullen says his company will soon be offering an opt-in service where consumers can select preferences ahead of time and then be offered deals via a text to their phones when cameras at establishments recognize their faces. In addressing privacy concerns, McMullen says the “double opt-in” service—the downloading of the app and then the process of registering—”ensures no one is signed up without their permission.” Further, he said privacy is already being infringed upon by every phone noting your location, camera recording your likeness and credit card transaction tracking your purchases. Why shouldn’t the consumer get something out of the deal? [MarketingLand]

US – Franken Wants Answers on Fingerprint Passwords

Sen. Al Franken (D-MN) is concerned about the fingerprint swipe password feature on Apple’s latest iPhone release. In a letter to Apple CEO Tim Cook, Franken wrote, “Passwords are secret and dynamic; fingerprints are public and permanent … If someone hacks your password, you can change it—as many times as you want. You can’t change your fingerprints.” Franken asked Cook to answer questions on how fingerprint data will be protected and with which third parties it may be shared. Meanwhile, a group of hackers in Germany say they have successfully hacked the fingerprint feature. Full Story

Canada

CA – OPC Encourages Parliament To Review PIPEDA

With a new parliamentary session scheduled to begin in October, Sébastien Gariépy, spokesman for Industry Minister James Moore, has said “he could not confirm that the amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA) would be reintroduced by the Department of Industry.” An Office of the Privacy Commissioner spokesman noted, “Much has changed as the years have passed, and the commissioner believes Canadians need far stronger protections than what is being proposed with respect to data breaches. Our office would again encourage parliamentarians to proceed with a second review of PIPEDA.” [Bloomberg BNA] SEE ALSO: [Stoddart: PIPEDA “Really Doesn’t Do Anything”]

CA – Resurfacing of Photo Highlights Lack of Control

A photo of a deceased teen girl turned up in third-party dating ads on Facebook, highlighting “how little control anyone has over any image once it gets out into the Internet sphere,” says technology and law Prof. Robert Currie. “It really seems to me to be an unfortunate accident that is causing a lot of grief … But it’s just the kind of thing that is going to happen,” says Currie. The company posting the ad used an image scraper to get the image, according to its administrator. Facebook has banned the company, saying the ads are a “gross violation” of its policies. [The Canadian Press]

CA – Advertisers Offering Consumers Choice

The Digital Advertising Alliance of Canada (DAAC) has announced a program to allow consumers “to control whether they want to receive targeted advertising messages.” Canadians will soon begin to see an “Ad Choices” icon in this offshoot of a movement that began in the U.S. and later spread to Europe. The DAAC hopes to educate consumers about how they are targeted, while the Office of the Privacy Commissioner has said it is “pleased that the advertising industry is taking action on this issue … the use of online behavioural advertising has grown dramatically and we are concerned that Canadians’ privacy rights are not always being respected.” [The Globe and Mail]

Consumer

US – Study: Consumers Favor Companies That Let Them Opt Out

A recent TRUSTe study has found that 62% of consumers will do more business with a company that gives them the option to opt out of online behavioral advertising. The study, which polled 1,171 U.S. Internet users, also found that 53% of consumers are more willing to click on an ad that gives them the option to opt out and that users feel more positive about the business behind an ad if the Digital Advertising Alliance’s AdChoices icon is displayed, indicating a growing awareness of the tool. [Truste Consumer Data Repoert]

US – Survey Results Indicate Companies Should Compete on Privacy

A survey shows “40% of companies use customer information collected online for targeting purposes and 88.5% of chief marketing officers (CMOs) expect this practice to increase over time.” Another report suggests data hoarding can be a drag on business , presenting dangers including potential legal issues surrounding the requirements to protect the data a company possesses. The CMO study indicates marketers “have very low levels of concern about how the use of online customer data infringes upon privacy.” Considering this in the context of a Pew survey where 86 percent of respondents indicated taking “steps to remove or mask their digital footprints,” the report suggests companies should compete on privacy. [Forbes]

WW – The Privacy Paradox for Bank Loyalty Programs

A recent survey of 6,000 individuals belonging to loyalty card programs across the U.S. queried respondents to classify certain types of targeted marketing as “cool and exciting” or “creepy and weird.” Respondents to the Maritz Loyalty Marketing survey on average enrolled in 7.4 loyalty programs, with 1.8 connected to a credit or debit card. Card program categories included retail, grocery, hotel, airline, entertainment and financial services. Respondents over the age of 50 tended to get more “creeped out” by use of their personal data than younger individuals even when special benefits were transmitted. The marketing function that received the highest “creepy” rating stemmed from reviewing Facebook posts of friends to determine rewards eligibility. [American Banker]

US – Acxiom to Create ‘Master Profiles’ Tying Offline and Online Data

Acxiom has launched a new system designed to combine consumers’ offline and online activities, which then processes the collected data using algorithms. The data is then made available to marketers for behavioral targeting and personalized ads on mobile, the web and eventually television, the report states. Acxiom Chief Technology Officer Phil Mui said, “We are making big marketing data truly actionable.” The new system is a significant shift for targeted advertising as the system—which features a new identifier to match user profiles—allows marketers to track users across devices into one profile instead of multiple profiles based on a given device. [Financial Times]

E-Government

US – DOE Now Says July Breach Affected 53,000 People

The US Department of Energy (DOE) has updated information about a July data breach that compromised employees’ personally identifiable information. DOE now says that the breach affects 53,000 current and former employees, contractors, and dependents. The information compromised includes names, Social Security numbers (SSNs) and birth dates. The attacker or attackers exploited a known vulnerability in an unpatched ColdFusion system called DOEInfo. The department’s investigation indicates that the theft of the personal information “might have been the primary purpose of the attack.” DOE will notify all affected individuals within the next two weeks. [InformationWeek][DOE Cyber Incident Information]

E-Mail

WW – Email Surveillance Could Reveal Journalists’ Sources, Expert Claims

Creator of the email encryption software PGP, Phil Zimmermann, has told The Guardian that users of consumer e-mail services should be aware of the threat of exposing their metadata. Zimmermann says his opinions on privacy have changed drastically in the more than 20 years since he invented PGP, noting “more recently … everyone has become aware that metadata is becoming increasingly important—that the message headers mean a lot.” These risks prompted him to develop a new feature for his Silent Phone app that encrypts conversations earlier in the call process, but the report states, in spite of PGP flaws “becoming clearer with time,” he maintains that PGP is holding up just fine. ]Full Story]

US – App Maps Users’ Lives Via Inbox Scanning

An app built by a group of MIT researchers that visualizes users’ social lives by looking at their e-mail inboxes. Immersion uses timestamps and the to, from and CC fields to draw a map of the user’s social connections. It offers users a look at Big Data and the “digital exhaust they’re continually leaving behind,” said MIT’s Cesar Hidalgo, adding it’s a particularly useful perspective following revelations of NSA surveillance measures. The app does allow users to delete data upon logout. “If I am able to withdraw my money from my bank account, I should be able to withdraw my data from my e-mail provider,” Hidalgo said. [WIRED]

US – Problems Surfacing with Reassigned Yahoo Accounts

Some people who obtained reassigned Yahoo email addresses are receiving personal messages meant for the prior account holder. Some of the messages contain sensitive personal information, such as data about other accounts, emailed receipts, and appointment and travel confirmations. Earlier this year, Yahoo said it would begin reassigning email addresses and Yahoo IDs that had been inactive for more than a year. A company representative said that before reassigning the identifiers, they attempted to contact the account owners in several ways. Yahoo said they would unsubscribe the dormant accounts from newsletters and alerts and notify “merchants, ecommerce sites, financial institutions, social networks, email providers, and other online properties” that the account no longer exists before reassigning the name. [BBC] [CNET] [InformationWeek]

US – Users Sue LinkedIn Over Harvesting of E-Mail Addresses

A new lawsuit against LinkedIn has been filed by four users who claim the professional networking site accessed their e-mails without consent and used the harvested addresses of their contacts to spam non-users with invites to the service. In one claim, the suit alleges LinkedIn is “breaking into” external e-mail accounts pretending to be the user, but no details are offered. In response, LinkedIn has released a blog post refuting the claims. In separate class-action news, a Politics in Minnesota report details the mounting data protection lawsuits being filed against the government after one case resulted in more than $1 million worth of settlements from illegal government access to driver’s license records. [The New York Times ]

Encryption

US – NSA Defeats Internet Encryption

According to documents leaked by Edward Snowden, the US government has spent more than US $10 billion over four years on the Consolidated Cryptologic Program. The documents also show that the NSA has used its influence to insert encryption weaknesses in currently used standards; used a variety of techniques – including hacking – to acquire cryptographic keys from various technology companies; and in some instances, broke into targeted machines to intercept messages before they were encrypted. [NYTimes] [ArsTechnica]

WW – Google Will Send All Searches Over SSL

Google is now sending all searches over secure sockets layer (SSL). Google has been using SSL to protect Google account holders’ searches since 2011. SSL encrypts connections between users’ computers and Google, which means that ISPs, Wi-Fi hotspots, and Internet cafes cannot intercept searches conducted through Google. Users’ search results will be protected, but their search terms and the fact they that they visited Google.com may not be protected. [SCMagazine]

US – RSA Warns Customers Not to Use Cryptography with NSA Backdoor

RSA Security has sent an advisory to some of its customers, urging them to stop using a cryptographic component that has been revealed to contain an NSA backdoor. Two of the company’s products, the BSAFE toolkit and Data Protection Manager, use the specification, known as Dual EC_DRBG, by default. RSA recommends that customers using the affected products switch to a different pseudo random number generator (PRNG). [ArsTechnica]

EU Developments

EU – Reports Call for EU Cloud, Student Data Protection

A report commissioned by the European Parliament that suggests the EU-U.S. Safe Harbor Framework does not protect against U.S. interception of European citizen data processed in the cloud and “urges the European Union to encourage development of local cloud computing capacity based on open source software as a way of safeguarding against U.S. intelligence community surveillance.” Meanwhile, a SafeGov.org report, “shows broad support for safeguarding especially vulnerable cloud user populations in public organizations, such as schoolchildren, civil servants and healthcare professionals and their patients, who are at risk of being tracked and profiled for online advertising purposes.” A U.S. lobbying group is proposing a code of conduct to prohibit “user profiling and data mining by cloud services used by European schools.” [Fierce Government IT]

EU – MEPS: Stop TFTP Agreement in Its Tracks

European politicians have demanded that a broad data-sharing agreement between the U.S. and EU be suspended. The demands to halt the Terrorist Finance Tracking Program (TFTP) at a recent hearing of the Civil Liberties Committee follow allegations that the U.S. National Security Agency illegally tapped banking data, the report states. “We have no evidence that they have actually been doing this, but they don’t deny it either. So in a way it is irrelevant whether they have used the opportunity so far, because they will continue to reserve that right in the future,” said Dutch MEP Sophie in’t Veld, adding she considers the agreement to be “effectively dead.” [PCWorld]

EU – MEPs Hear US Privacy Experts, Whistleblowers And Snowden Statement

At the fourth hearing of the Civil Liberties Committee inquiry into U.S. and EU countries surveillance of EU citizens, MEPs discussed the possibility of suspending EU-U.S. trade talks, creating international standards and the need for parliamentary oversight of surveillance activities. In a statement read aloud, whistleblower Edward Snowden said “the surveillance of whole populations … threatens to be the greatest human rights challenge of our time.” A former Microsoft executive has said he no longer carries a cellphone and only uses open-source software if he can check the underlying code. Meanwhile, at an event this week, U.S. Supreme Court Justice Antonin Scalia reportedly suggested the Fourth Amendment protects personal items, “not privacy, per se.” Meanwhile, a former NSA contractor and graphic designer has created four fonts that he claims cannot be analyzed by systems used to monitor online communications. [EuroParl]

EU – Lawmakers Accused of Rushing EU Data Protection Law

“Industrialists and diplomats have accused MEPs of rushing through data protection laws that they say would boost their electoral chances more than Europe’s economies.” At an event in Brussels, policymakers and industry representatives clashed over the EU draft regulation’s timeline, the report states, citing comments by the European Commission’s Paul Nemitz indicating companies that value their customers’ needs will not have issues with the new rules. “If you are operating cross-borders, your life is likely to become easier. Why? Because in the future, we’ll have one law in form of a regulation rather than 28 implementing laws based on a directive and we will have a consistency mechanism,” Nemitz said. [EurActiv]

EU – Dutch IT Trade Org Objects to Proposed Breach Notification Legislation

A trade organization representing IT companies in the Netherlands is objecting a proposed law in that country requiring technology companies to report security breaches. Nederland ICT says that Dutch companies are already required to report breaches to several organizations and that the new legislation would just create more administrative work. The draft legislation affects select industries that are part of the country’s critical infrastructure and aims to clarify notification requirements for those companies that experience breaches. The government says the bill intends that only severe breaches must be reported, but Nederland ICT says that if the bill becomes law, companies are likely to start reporting all breaches. [ZDNet]

EU – MPs Give Data Harvesters “Green Light”

Members of Parliament are giving companies that harvest personal data from Internet-connected devices “the green light … prompting disquiet over Parliament’s commitment to protecting consumer rights.” The House of Commons Culture, Media and Sport Committee noted in a report, “Increasing use is being made of personal data to target online advertising better … While concerns around this have prompted reviews of data protection legislation, we do not think the targeting of appropriate advertising—essential to so many business models—represents the greatest threat to privacy.” Consumer and privacy advocates caution, however, that consumers are losing control of their data, the report states. [Full Story]

EU – Google and Facebook Face Tougher EU Tax and Privacy Rules

France is pushing for the EU to adopt proposals that would see technology companies such as Google and Facebook regulated and taxed where customers use their websites. The proposals “could put Europe at loggerheads with the U.S., which has previously reacted angrily at attempts to impose greater regulation on the Internet.” Fleur Pellerin, France’s digital economy minister, said the campaign does not target American companies—though they are the ones on top, currently—but aims to “boost the ability of European actors to develop in Europe and gain positions that can compete on the same level playing field as the other international actors.” [Financial Times]

Finance

US – NSA Program Monitors Credit Card Transactions

The U.S. National Security Agency’s (NSA) “Dishfire” program collects information on credit card transactions from 70 banks worldwide. The NSA targets transaction information from large credit card companies such as VISA and MasterCard on customers in Europe, the Middle East and Africa, the report states, adding that credit card data and related text messages made up 84% of NSA financial database Tracfin in September 2011. [Der Spiegel]

US – CFPB Guidance: Fraud Reporting Won’t Breach GLBA

The Consumer Financial Protection Bureau (CFPB) has issued new guidance informing banks it’s their responsibility to report instances of suspected fraud of senior citizens and, according to the CFPB, reporting such exploits will not contravene the Gramm-Leach-Bliley Act. Bank tellers and other financial employees “can be instrumental in reporting such fraud,” said CFPB Director Richard Cordray, because they are familiar with the customers who may be exploited, The Wall Street Journal reports. [Source]

FOI

WW – Tech Giants Ask 21 Countries to Release Surveillance Data

Privacy advocates, human rights groups and tech companies are asking 21 countries to release information on their surveillance requests. The Global Network Initiative includes such companies as Facebook, Google and Microsoft and said in letters to the members of the Freedom Online Coalition—a group of 21 countries working together to advance Internet freedom—that governments should release the data and allow the tech companies asked to respond to such requests to do the same. [The Hill]

US – Microsoft Releases Data on Government Requests for Information

Microsoft’s most recent Law Enforcement Requests Report details the number of requests for information it received from governments worldwide in the first half of 2013. Based on that number – 37,196 – Microsoft looks to be on track to receive roughly the same number of requests it did in 2012, when it received just over 75,000 requests. The report breaks down the requests by country, and indicates the company’s response to the requests. Microsoft provided non-content user data for 77 percent of the requests, while it provided customer content for 817, or 2.2 percent, of requests. The US government made 7,014 requests affecting 18,809 accounts. The report does not provide information about US national security requests. [ComputerWorld] [ZDNet] [MSFT.com]

Genetics

US – NIH Seeks Comments on GDS

The National Institutes of Health (NIH) is calling for comments following the publication of its draft Genomic Data Sharing (GDS) policy. The GDS, which applies to all NIH-funded research, “details the need to strip all data of names, Social Security numbers and other identifiers before uploading,” the report states, noting de-identified data is then required to be coded at random to protect privacy. “All data is subject to NIH’s desire for widespread sharing,” according to the report. [FierceBioTechIT]

Google

EU – French Data Protection Agency May Fine Google for Privacy Violations

France’s data protection agency, CNIL, plans to fine Google for failing to comply with that country’s privacy requirements. Google was warned of the fines in June; the company was given three months to amend its privacy policy to clarify its collection and use of user data. The issue centered on Google’s decision to combine 60 services under a unified policy that allows the company to merge data from its different products, such as Gmail, YouTube, and Google+. The concern is that some users may not want their data connected in this way. Google maintains that its current privacy policy respects EU privacy laws. [WashingtonPost] [ComputerWorld] [CNET]

US – Google’s eMail Scanning May Violate Wiretap Law

A US federal judge in California has ruled that a lawsuit brought against Google for violating US wiretap law may move forward. The lawsuit alleges that Google violates the law when it scans email messages. Google maintains that it scans all emails that pass through its servers to check for spam as well as to create user profiles and provide targeted advertising. Google was seeking to have the lawsuit dismissed under a portion of the wiretap law that allows email providers to intercept messages if the action helps the message get delivered or is incidental to the efficient functioning of service. US District Judge Lucy Koh wrote in her decision, “the statutory scheme suggests that Congress did not intend to allow electronic communication service providers unlimited leeway to engage in any interception that would benefit their business models.” [Washington Post] [WIRED]

Health / Medical

US – Obama to Reinforce Privacy in Affordable Healthcare Act

The Obama administration is seeking to bolster privacy protections for Americans signing up for the federally mandated Affordable Healthcare Act. To help stem identity theft, personal privacy protection and fraud, the administration plans to launch a toll-free telephone number to report fraud incidents and an online verification system. Attorney General Eric Holder met with Department of Health and Human Services Secretary Kathleen Sebelius and FTC Chairwoman Edith Ramirez to discuss the privacy and security implications of the impending law. Concern has also been expressed about counselors—also called navigators—who are set to educate and help Americans enroll in the health exchanges. A House Committee report stated, “There are already reports from across the country that scam artists are attempting to impersonate navigators and assisters to steal credit card information and personally identifiable information in order to take advantage of massive confusion about Obamacare.” [Reuters]

US – Data Privacy Tests Needed, GOP Lawmakers Say

House and Senate Republicans have introduced legislation that would delay enrollment in the healthcare exchanges under the Affordable Healthcare Act until it is confirmed that robust data protection standards are in place. Sen. Orrin Hatch (R-UT), a sponsor of the Trust But Verify Act, says the Government Accountability Office must verify that data privacy safeguards are in place. “It would simply be irresponsible to open the exchanges without adequate safeguards to protect and secure consumers’ personal information,” Hatch said, adding, “While the administration claims that these safeguards exist, there is simply no way to verify these claims absent an independent review.” [The Hill]

US – Grace Period Ends for Updated HIPAA Rule Compliance

As of September 23, 2013, US organizations that handle protected health information must abide by updated Health Insurance Portability and Accountability Act (HIPAA) rules. The changes were established in 2009 and took effect in March 2013, but organizations were given a six-month grace period that ended this week. Among the new rules are a requirement that business associates of organizations covered by HIPAA must be in compliance with the rules’ security and privacy measures, and new restrictions on covered entities’ marketing and sale of personal health information. [SC Magazine]

US – HHS Releases Model HIPAA Privacy Notices

The Office for Civil Rights, in collaboration with the National Coordinator for Health Information Technology, has released three model privacy notices to help providers comply with the Health Insurance Portability and Accountability Act (HIPAA), according to a U.S. Department of Health and Human Services press release. The three new notice of privacy practice models were constructed out of input from “consumers and key stakeholders” and include the recent changes in the HIPAA Omnibus Rule. The three options include notice in the form of a booklet, a layered notice and a text-only version. [HHS]

US – HHS Launches Meaningful Consent Site for Providers

The Department of Health and Human Services (HHS) has launched an online resource to help healthcare providers “effectively engage patients” in choosing how they want their electronic health information shared. The site provides strategies and tools to help educate patients. “As patients become more engaged in their healthcare, it’s vitally important that they understand more about various aspects of their choices when it relates to sharing their health in the electronic health exchange environment,” said the chief privacy officer of the HHS Office of the National Coordinator for Health Information Technology. [HHS]

US – Omnibus Rule Kicks In, Four Compliance Steps for BAs

In light of the implementation date of the HIPAA Final Rule on Privacy and Security, there are four steps that business associates (BAs) need to take to comply with the update. For covered entities, the effects “are mostly incremental because the compliance structure remains unchanged,” but for BAs, the change “raises the risks of noncompliance to a new level because, for the first time, they face many of the same compliance requirements as their covered entities,” making them subject to government fines and civil penalties, the report states. Meanwhile, a new study reveals there is increasing confidence in cloud technology among healthcare policy decision-makers. [Government Health IT]

US – OCR’s Rodriguez Says Increased Enforcement Ahead

The Office for Civil Rights Director Leon Rodriguez said there will be increased enforcement of HIPAA regulations, highlighted the importance of appropriately protecting patient privacy and discussed the “what-not-to-dos” regarding healthcare privacy. “Today is a critical day for the Omnibus,” Rodriguez said. “On the one hand, you have to have assertive enforcement; you have to have credible enforcement, that really does play a critical role in obtaining compliance,” he noted, adding, “But at the same time, you have to set rules of the road that are understandable and consistent, and you really need to make sure people know what the rules of the road are.” [Government Health IT]

US – US Food and Drug Administration to Regulate Some Medical Apps

The US Food and Drug Administration (FDA) will impose the same regulations on certain mobile medical apps as it does on medical devices. The apps affected are those that perform the same functions as medical devices, like blood pressure monitors. According to the FDA, “If a mobile app is intended for use in performing a medical device function [such as diagnosis, cure, mitigation, treatment, or prevention], it is a medical device, regardless of the platform on which it is run.” Apps that log and track trends would not be subject to regulatory oversight. [NextGov] [FDA Document on Mobile Medical Applications]

US – DEA Cites Third Party Doctrine With Prescription Data Case

An argument submitted by the Drug Enforcement Agency (DEA) in response to an American Civil Liberties Union (ACLU) lawsuit over the privacy of certain medical records. According to the DEA, citizens who share medical records with pharmacies—or any other third party—have “no expectation of privacy” regarding that data. According to a blog post, ACLU Attorney Nathan Wessler wrote, “Just because we trust our doctors and pharmacists with our medical information, doesn’t mean the DEA should be able to easily access it too.” [The Verge]

US – Sensor Network to Track Seniors Launched

A new product designed to track the activity of seniors living on their own. The system, created by Lively, consists of various sensors strategically placed around a home that report movements—such as refrigerator or medicine cabinet doors being opened—to a base station connected to an app. The system aims to let concerned guardians know if individuals are taking their medicine and moving around the house. “This is not ‘Big Brother’ monitoring,” said one of the company’s founders, adding, “Lively’s passive sensing tracks just enough information to interpret meaningful activity that shows how you’re doing without sharing too much.” [TechCrunch]

Horror Stories

US – Underground Identity Theft Site Hacked Data Aggregators

An underground website that trades in identity theft data reportedly gathers information by breaking into computers at major US data aggregators. The site, SSNDOB, sells Social Security numbers (SSNs), birthdates, and other personal data. Network analysis showed that SSNDOB administrators were also operating a botnet that had infiltrated servers at LexisNexis, Dun & Bradstreet, and Kroll Background America. [Krebs] [The Register]

WW – Data Broker Hackers Also Compromised NW3C

Yahoo is facing claims its decision to recycle accounts that had been inactive for a year or more has resulted in individuals receiving e-mails intended for the previous owners. An Ohio psychologist is notifying clients of a burglary where “the thieves may have intended on stealing patients’ personal data when they stole the office’s entire computer supply.” Patients at a Canadian health region are also receiving letters after an employee accessed “patients’ personal health information between 2009 and 2012, considered a breach under the Health Information Protection Act.” Meanwhile, the “miscreants responsible for breaking into the networks of America’s top consumer and business data brokers appear to have also infiltrated and stolen huge amounts of data” from the U.S. National White Collar Crime Center. Amidst all these reports, InformationWeek offers tips on the “lessons learned”  from data breach incidents. [Krebs on Security]

Identity Issues

US – NIST Awards Grants for Development of Trusted Identity Systems

The US National Institute of Standards and Technology (NIST) has awarded more than US $7 million in grants to five organizations to develop systems for online identity protection and verification. The grants are part of the National Strategy for Trusted Identities in Cyberspace (NSTIC). [Information Week]

AU – Australia Bar-Scanning Bill Raises Red Flags

An Australian bill is being considered that would require patrons of venues in Sydney’s Kings Cross to have their identity scanned and stored to monitor and enforce entrance bans on individuals who have committed serious crimes. The legislation would enforce ID scanning at 35 “high risk” venues and would collect names, dates of birth, addresses and photographs. Australia Privacy Foundation’s Roger Clarke said, “The measure doesn’t only affect the targeted individuals, it represents a serious imposition on all patrons of the venues that the government brings within its scope.” [The Guardian]

Intellectual Property

US – Copyright Attorney Suing Record Label Over Automated Takedown Notice

Harvard Law School professor Lawrence Lessig is suing an Australian record label that attempted him to sue him for copyright infringement. The matter involves a lecture given by Lessig that is available on YouTube. The lecture is in fact about the need for copyright law to be adjusted for the Internet. In the lecture, Lessig uses a clip from a song to which the Australian record label holds the rights. However, the company backed down after Lessig invoked the fair use legal doctrine. Lessig then sued the company for initiating a bad-faith lawsuit. Lessig filed the suit because he believes music labels should stop depending on automated systems to detect possible infringements and send takedown notices. [NPR.org]

EU – Spain Approves More Stringent Anti-Piracy Law

Spanish Legislators have approved new anti-piracy laws that punish even those who link to pirated content for either “direct or indirect profit.” People found guilty of piracy could face up to six years in prison for aggravated circumstances. [ArsTechnica]

US – MPAA, RIAA Help Draft Anti-Piracy Curriculum for Use in California Schools

The Motion Picture Association of America (MPAA), the Recording Industry Association of America (RIAA), and several major US ISPs plan to pilot an anti-piracy program in California’s elementary schools. The curricula, which are adapted for each age level from kindergarten through sixth grade, were created by the California School Library Association and the Internet Keep Safe Coalition working with the Center for Copyright Infringement, which counts executives from MPAA, RIAA, and several large telecommunications forms among its board members. A draft of the program suggests that using other people’s works without permission is worse than copying someone’s answers on a test. Those helping to develop the curriculum stress that it is still in draft form. [WIRED]

US – MPAA Says Search Engines Should Do More to Prevent Piracy

The Motion Picture Association of America (MPAA) has released a report indicating that search engines need to make a more concerted effort to help fight piracy. The report comes just as the Commerce Department is considering ways to help private sector companies fight piracy. The MPAA’s report said that Google’s recent changes to its search algorithm have not had an effect on piracy. [WIRED] [LATimes] [Politico] [MPAA]

US – Netflix Monitors Piracy Sites to Determine Content to Buy

Netflix acknowledged that it tracks activity on known piracy websites to help it decide which movies and television programs to purchase for its online streaming service. Some others in the industry have noted that there can be an up side to piracy. According to the creator of “Breaking Bad,” piracy helped keep the show alive. Initial broadcasts of the show garnered few viewers, but once circulated through piracy, the show gained a following. A Time Warner executive suggested that the same is true of the “Game of Thrones” series. [BBC]

US – AT&T Issues Piracy Warning to Customers

AT&T is warning its customers that if they are found to be engaging in Internet piracy, their Internet access could be severed. The warning, which came in the form of a letter, is part of the company’s implementation of the so-called “six strikes” anti-piracy policy. The letter says the illegal activity “could result in mitigation measures including limitation of Internet access or even suspension or termination.” Several years ago, AT&T reportedly said it would terminate users’ accounts only upon receipt of a court order. [ArsTechnica]

Internet / WWW

WW – Is This the End? DAA Withdraws from W3C Process

In a letter sent to Jeff Jaffe, CEO of the World Wide Web Consortium, the Digital Advertising Alliance (DAA) announced that it is withdrawing “from future participation in the World Wide Web Consortium (W3C) Tracking Protection Working Group (TPWG). After more than two years of good-faith effort and having contributed significant resources, the DAA no longer believes that the TPWG is capable of fostering the development of a workable ‘Do-Not-Track’ (DNT) solution.” Instead, the DAA says it is convening its own DNT process, beginning almost immediately, for evaluating “how browser-based signals can be used meaningfully to address consumer privacy.” That process “will be a more practical use of our resources than to continue to participate at the W3C,” wrote DAA Executive Director Lou Mastria. In this exclusive for The Privacy Advisor, we look at what’s next for the DAA, how the DNT process fell apart and whether legislators and the Federal Trade Commission are about to get involved.  [Full Story]

WW – W3C Not Ready to Give Up the Ghost

The World Wide Web Consortium (W3C) has announced the appointment of two new chairs for its Tracking Protection Working Group (TPWG). Carl Cargill, a director at Adobe, and Justin Brookman, from the Center for Democracy & Technology, will join incumbent Matthias Schunter, principal at Intel. This exclusive for The Privacy Advisor explores the new priorities for the W3C’s TPWG and insight from Brookman on what’s next for the multi-stakeholder process. [Full Story]

WW – With DNT, What Next for Policymakers?

In what can be perceived as a rollercoaster week for the World Wide Web Consortium’s Do Not Track (DNT) working group, IAPP VP of Research and Education Omer Tene asks if the appointment of the Center for Democracy & Technology’s Justin Brookman and Adobe’s Carl Cargill can save the process. “Hopefully, all sides will work together to pursue an agreed-upon solution, since an implosion of the process, which seemed inevitable on Tuesday as the Digital Advertising Alliance announced its departure from the group, would cast a long shadow over the prospects for multi-stakeholder resolutions to the burning privacy problems of our time,” he writes. In this post for Privacy Perspectives, Tene explores what’s next for DNT and the policymakers working on such a resolution. [Full Story]]

WW – Study: Whois System’s Privacy Controls Being Abused

A new study commissioned by the Internet Corporation for Assigned Names and Numbers (ICANN) indicates the Whois system’s current ad hoc privacy controls are being abused. ICANN—a pseudo-directory of contact details for domain names—is recommending the Whois system be replaced to include authenticated access. Currently, contact details for administrators of a domain are publicly available, prompting domain name owners to provide false information. [ZDNet]

Law Enforcement

CA – Police Pledge Adherence to Privacy Guidelines

Hamilton police have agreed to follow Ontario’s privacy guidelines for the use of video surveillance. The newspaper had previously revealed the police department’s video surveillance program appeared to be “violating provincial guidelines designed to protect the public’s privacy, and this had been the situation for years,” the report states. Deputy Chief Ken Leendertse announced new policies to comply with the provincial guidelines and promised an annual report reviewing the program “and its effectiveness according to the privacy commissioner’s ‘Section 4’ criteria, which deal with demonstrating an ongoing need for surveillance and proving the effectiveness of the tool,” the report states. [The Spectator]

Location

WW – Usage-Based Car Insurance Raises Privacy Concerns

A new study out of the University of Denver reveals that pay-as-you-drive insurance plans may pose a potential privacy risk for drivers. Though insurance companies do not collect location data with these plans, the research found that driving habits, including speed, braking and acceleration, mileage and time of travel have the potential to reveal a detailed portrait of a driver’s movement within a specific time period. According to the research paper, “Customer privacy expectations in non-tracking telematics applications need to be reset, and new policies need to be implemented to inform customers of possible risk.” [Source]

US – New Offline Tracking Methods Come to Airports

Recent reports have detailed retailer tracking of shoppers via smartphones and other mobile devices, but the practice has extended to some airports, according to Covington & Burling Partner Nigel Howard in a recent post for InsidePrivacy. The offline tracking systems aim to follow passenger patterns, detail real-time movement of travelers and track retail behavior by using a unique identifier system. Though these systems provide several benefits, Howard writes, “they also raise privacy issues that might not fit neatly into the notice-and-choice framework that—notwithstanding the FTC’s recent efforts—still is the predominant model of privacy protection in the U.S.” [InsidePrivacy]

US – Apple Wants Class-Action Status Denied

Apple says iPhone users suing the company for allegedly allowing app developers to access personal information shouldn’t be able to proceed with a class-action lawsuit. In the case, consumers claim Apple misled them by sharing their devices’ unique identifiers with app developers after promising to protect their personal information. But Apple says consumers haven’t presented “a shred of evidence that even a single app transmitted ‘personal information.’” The company is asking U.S. District Court Judge Lucy Koh to reject the plaintiffs’ request for class-action status. [MediaPost News]

Online Privacy

WW – Google May Ditch ‘Cookies’ As Online Ad Tracker

There are rumours of a potential move by Google to replace third-party cookies with a new anonymous identifier (AdID) that would allow advertisers to track Internet browsing activity for marketing. The AdID would be communicated to online advertisers and ad networks that have aligned with agreed-upon guidelines in the attempt to give consumers more privacy and control as they browse the Internet. Though the program has not been officially announced by Google, a spokesman said, “Technological advancements can improve users’ security while ensuring the web remains economically viable. We and others have a number of concepts in this area, but they’re all at very early stages.” According to the report, Google plans to reach out to industry, government agencies and consumer groups in the near future. [USA TODAY]

US – Industry Reacts to Google Cookie Alternative

The ad industry is reacting to an unofficial proposal by Google to replace cookies with an anonymous identifier (AdID) system. Advertising executives, ad technology firms and analysts say that changing how consumers are tracked online would significantly affect the $120 billion industry. Interactive Advertising Bureau President Randall Rothenberg said, “This would be anticompetitive and potentially negatively impact all other online publishers.” Financial Times has published a Q&A to explore the proposed cookie alternative, and AdAge has posted a video with some industry reaction. Independent researcher Ashkan Soltani has posted a blog answering some questions on the AdID proposal. [Wall Street Journal]

US – Facebook Hires Privacy Pro as New Deputy Counsel

Facebook has hired Ashlie Beringer, a partner at California firm Gibson Dunn and co-chair of the law firm’s information technology and data privacy practice group, as the company’s new deputy counsel. Beringer will report to Facebook General Counsel Colin Stretch, “who was promoted from deputy to take the social network’s top legal job in June after long-running GC Ted Ullyot left the company.” Beringer will run Facebook’s legal department’s litigation, regulatory and product groups. She will begin at Facebook November 18. [TechCrunch]

US – Court Says Facebook “Like” Is Protected

The Fourth U.S. Circuit Court of Appeals has ruled in favor of a former Virginia deputy sheriff who said he was fired for “liking” the Facebook page of a man running for his boss’s position. Chief Judge William Traxler, Jr., said in the ruling, “On the most basic level, clicking on the ‘like’ button literally causes to be published the statement that the user ‘likes’ something, which is in itself a substantive statement.” However, the report cautions, “The decision may not protect social networkers who press the ‘Like’ button with abandon” as the First Amendment “primarily protects individuals from government action,” one expert notes. [MarketWatch]

US – Tumblr Inks Deal With Analytics Biz

Tumblr has signed a deal with analytics company DataSift, a move that could give advertisers more knowledge of what is posted on the site and boost Tumblr’s advertising sales. DataSift will have access to all of Tumblr’s real-time and historical data. DataSift currently has similar deals with Twitter and Facebook. Meanwhile, a report suggests that Google may have access to the WiFi passwords of every Android user, and, “Considering how many Android devices there are, it is likely that Google can access most WiFi passwords worldwide.” [TechCrunch]

Other Jurisdictions

AU – New Australian Privacy Principle Guidelines Released for Comment

The second stage of Australian Privacy Principle (APP) guidelines have been released for public comment. APPs one through five were published in August, and this next set addresses “new requirements for agencies in how they use or disclose personal information, undertake direct marketing activities and send data off-shore,” according to Privacy Commissioner Timothy Pilgrim. Noting specific concerns related to APP 8, Pilgrim said, “These new requirements provide a compelling business case for organisations to protect their business when planning to send personal information overseas.” The Office of the Australian Information Commissioner will accept submissions until 21 October. [ComputerWorld]

AU – Commissioner To Release Mobile Guidelines

Australian Privacy Commissioner Timothy Pilgrim plans to release new mobile privacy guidelines for app developers next week, and the guidelines will focus on third-party data sharing. Pilgrim has been consulting with industry and advocacy groups since draft guidelines were released last April. Pilgrim noted that app developers can expect more scrutiny of app industry privacy practices from regulators and the marketplace itself, the report states. The new guidelines are expected to be released next Monday. [IT News Australia]

SG – New Data Protection Guidelines for Singapore

Singapore’s Personal Data Protection Commission has issued new data protection guidelines for businesses operating in the country. Failure by consumers to opt out can signal consent to process data in certain circumstances, according to the new 18-page guidance note. The guidelines have been published to complement the Personal Data Protection Act—introduced in January and which goes into effect next July. One technology law expert said, “With the issuance of these advisory guidelines, the whistle has blown for organizations to kick off their compliance programs if they have not done so.” [Out-Law]

SA – South African President to Sign Data Protection Bill

The Protection of Personal Information Bill has recently passed in Parliament and will soon be signed into law by the president, report attorneys for Edward Nathan Sonnenbergs. The bill brings South Africa in line with international data protection laws, the report states, granting citizens the right to privacy when it comes to organizations collecting and processing their personal information by mandating compliance with eight conditions, including accountability, purpose specification and security safeguards. [Mondaq]

US – Experian Buys Fraud Detection Firm for $324 Million

Experian will acquire U.S.-based fraud detection group The 41st Parameter for $324 million. Experian noted it will increase its presence in the fraud prevention arena and bolster its current work in fraud detection and online authentication. [Reuters]

Privacy (US)

US – FTC Reaches Settlement With Company Over Unsecure Webcams

The FTC has reached a settlement with a company whose webcams lack adequate security. Trendnet cameras contain vulnerabilities that allow anyone online to view the devices’ feeds. Under the terms of the settlement, Trendnet may not refer to the cameras as “secure” in marketing materials. Trendnet must notify customers of the security issue, provide help to make the devices more secure, and undergo third-party security audits every two years through 2033. (The incident reported last month in which a stranger hurled obscenities at a Texas couple and their toddler through the webcam they were using as a child monitor involves a device from a different company.) [CNN] [The Register] [BBC] [Washington Post]

US – FTC’s Jessica Rich Lays Out Ambitious Ad Enforcement Agenda

FTC Director of Consumer Protection Jessica Rich remarks to the advertising community in New York City. “The FTC has long had a focus on national advertising,” she said. “We’re by no means finished.” Specifically, Rich noted the agency will step up enforcement in the digital arena, including mobile advertising disclosures. “This will be an area of increased law enforcement in the coming year,” she said. In addition to the “numerous privacy concerns” in the Big Data sphere, Rich said, “The NSA and Snowden incidents have done a lot to raise awareness about the collection of consumer data,” adding, “Consumers should be able to expect basic privacy and security protections.” [AdWeek]

US – FTC Files Complaint Against LabMD for Alleged Data Exposure

The US FTC has filed a complaint against a medical testing laboratory for allegedly exposing the data of more than 9,000 individuals. The complaint alleges that LabMD put the data at risk of theft in two separate incidents. In 2009, patient data were reportedly available on peer-to-peer (P2P) file sharing networks. In 2012, California police found identity thieves had documents from LabMD that contained personal information of more at least 500 patients. [SCMagazine][ArsTechnica] [FTC Press Release] [FTC Complaint Links] See also: [LabMD CEO Fights FTC Complaint, Asks for Standards]

US – GSA Offers Electronic Privacy Refresher

The General Services Administration Center for Excellence in Digital Government has released a memorandum on agencies’ use of social media and the dangers of posting content that contains personally identifiable information (PII). A specialist with the center, Tim Lowden, reminds agencies that they are required by Section 208 of the E-Government Act to conduct privacy impact assessments “when developing or before acquiring or using third-party sites or applications that collect PII.” Meanwhile, a Forbes report examines a recent high-profile case involving social media to question what the right balance is when it comes to protecting privacy while “promoting accountability” online. [FierceGovtIT]

US – Lawsuit Targets JPMorgan Chase & Co. Over Privacy Issues

JPMorgan Chase & Co. is facing a proposed class-action lawsuit accusing it of printing Social Security numbers on the outside of forms mailed to customers telling them of the bank’s efforts to protect their private data. The suit was filed last week in federal court in Chicago, IL, and alleges the bank put customers at risk for identity theft. “Chase even says on its website that providing Social Security numbers to an identity thief is ‘as good as gold,’” said the lawyer who filed the suit. It’s unknown how many customers were affected. [Reuters]

US – Survey: Orgs Lacking Comprehensive Privacy Programs

A new survey by Gartner has found the “perceived level of maturity attached to organizations’ privacy activities has decreased since 2011.”. While 43% of organizations have a comprehensive privacy management program in place, more than a third of organizations “still ‘consider privacy aspects in an ad hoc fashion,’” the survey found. And while 90% of organizations do have at least one person responsible for privacy, only 66% have a defined privacy officer role. [CIOOnline]

US – New Online Media Privacy Opinion Issued

According to a recent federal court opinion, “news organizations may be more liable in privacy lawsuits if their reporting is factually incorrect.” The opinion centers on how one gossip website used the plaintiff’s modeling pictures to allegedly publish a false story on the plaintiff, stating the model was a sister of a known celebrity. Senior District Judge Denis R. Hurley filed the opinion in Edme v Internet Brands, Inc. et al and denied a motion to dismiss in the case. Hurley noted that, although the published story “can be considered, for better or worse, a matter of public interest merely because its subject matter involved a celebrity,” the media website in the case reported an “undisputedly false” claim that the plaintiff was a sister of the celebrity, thus losing its newsworthiness. [Inside Privacy]

Privacy Enhancing Technologies (PETs)

WW – Patent-Approved Personalized TV Keeps Privacy in Mind

FourthWall Media has received the go-ahead from the U.S. Patent Office for its broadband device personalization technology. The technology analyzes consumer behaviors but addresses privacy concerns by storing viewers’ profile data only on the consumer’s own television or mobile device, the report states, where it can be used to indicate to targeted advertising technology which ad to run or what content would be preferred. [Rapid TV News]

WW – Box Aims for NSA-Resistant Cloud Security; Customers Hold the Keys

File-sharing service Box is working on a cloud storage solution that would put the encryption keys into the hands of its customers instead of the company. Box cofounder and CEO Aaron Levie said the current architecture of the company resembles that of Google or Microsoft “in that we are encrypting all the data on both transit and storage, but we obviously have to manage the encryption key because as a collaborative application we have to broker that exchange between multiple users.” Yet, with some forecasting a $180 billion loss in U.S.-based IT businesses in the wake of the NSA disclosures, the move to provide an “NSA-resistant” service is alluring. Levie said the company is “exploring ways that in the future our customer would be responsible for its keys, and that’s something we may make available to some of the largest organizations.” In other cloud computing news, Sweden’s data protection authority has ordered a Stockholm-based municipality to cease using Google Apps because it may contravene Sweden’s Data Protection Act. [Ars Technica]

RFID

US – US Senate Expands Data Privacy Investigation

Sen. Jay Rockefeller (D-WV) has announced he is expanding his investigation of the data broker industry after several companies refused to disclose specific details about their business practices around the collection and processing of consumers’ personal information. Expanding beyond the nine original data broker businesses, Rockefeller said he will investigate 12 additional health, personal finance and family-focused websites. To this point, the Senate investigation has found that data brokers categorize and market consumer dossiers into groups, and in some cases, the categories included names such as “Rural and Barely Making It” and “Ethnic Second City Strugglers.” Rockefeller said, “Regardless of whether such characteristics are positive, negative or erroneous, the process of determining these characterizations is not transparent to the consumer and is beyond the consumer’s control.” [Financial Times]

Security

US – Report Says it’s Too Soon to Professionalize Cybersecurity

According to a recent report from the National Research Council of the National Academy of Sciences, it is too soon to introduce professionalization standards into the discipline of cybersecurity. According to a member of the committee that produced the report, professionalization may improve the quality of the people entering the profession, but it also prevents others from entering. The report, which was commissioned by the Department of Homeland Security (DHS), observes that because jobs in the discipline of cybersecurity are so diverse, professionalization requires careful analysis and must consider the particulars of each job. Professionalization should move forward when these two criteria are met: stable knowledge and skills requirements, and credible evidence of deficiencies in the workforce’s skills. [NextGov]

Surveillance

US – Judge Says Government Must Declassify More NSA Documents

The Electronic Frontier Foundation (EFF) has announced that a federal judge has ordered the US government to declassify additional NSA-related documents by December 20, 2013. The ruling was made in a lawsuit, Jewel v. NSA, which was initiated in 2008. [ArsTechnica] [EFF.org]

US – NSA Targets Internet Routers and Switches

According to information in documents leaked by Edward Snowden, while the NSA will target individual personal computers when necessary, the agency concentrates its efforts on Internet routers and switches. Routers are attractive targets because “people are … horrible about updating their network gear because it is too critical, and usually they don’t have redundancy to be able to do it properly,” according to Beyond Trust CTO Marc Maiffret. [WIRED]

US – FISA Court Orders Patriot Act Opinions Declassified

The US Foreign Intelligence Surveillance Court (FISC) says it will release some of the legal opinions justifying the government’s wholesale collection of phone data. The FISC has ordered the US government to start declassifying some of its opinions regarding the Patriot Act. The documents will be revealed as a result of a lawsuit brought by the ACLU. [ArsTechnica] [WIRED] [ComputerWorld] [FISC Order]

US – NSA Director Defends Data Gathering Practices to Legislators

NSA Director General Keith Alexander told US legislators that the Foreign Intelligence Surveillance Court (FISC) has not placed an upper limit on the number of phone records the NSA may collect. Alexander said, “I believe it in the nation’s best interest to put all the phone records into a lock box that we can search when the nation needs to do it.” Alexander and several other intelligence officials along with members of the Senate Select Committee on Intelligence were speaking at a committee hearing. At the same hearing, Alexander avoided directly answering a question posed by Senator Ron Wyden (D-Oregon) about whether the agency had used cell phone data to track callers. [ComputerWorld] [Charlotte Observer] Speaking at a cybersecurity summit earlier in the week, Alexander defended NSA data gathering. He also said he is willing to share cyberattack information with private sector organizations. [Washington Post] [ComputerWorld]

US – FISA Court Releases Rationale on Legality of Phone Metadata Collection

The Foreign Intelligence Surveillance Court (FISC) has declassified its rationale that the collection of phone call metadata under the Patriot Act is legitimate. The FISC also noted that no US telecommunication company has ever challenged court orders requiring them to provide bulk telephony metadata. [WIRED] ]FISC Opinion] [FISC Rationale on Legality of Metadata Demands]

US – NSA Deploying Security Controls to Prevent More Leaks

The NSA is taking steps to prevent more leaks like those conducted by former contractor Edward Snowden. The agency will digitally tag sensitive documents to limit access to specific analysts. The tags will also help NSA learn what people do with the data they access. NSA CTO Lonny Anderson said that what Snowden did could not be done today. Systems administrators and other people who have privileged access to the NSA system will not do anything alone. The NSA is also limiting how employees store data on removable devices. [ArsTechnica]

US – NSA Seeks Civil Liberties and Privacy Officer

The NSA is seeking a Civil Liberties and Privacy Officer to be selected from within the agency’s ranks. The new position will bring together “the separate responsibilities of NSA’s existing Civil Liberties and Privacy (CL/P) protection programs under a single official.” The officer will help NSA “ensure that CL/P protections continue to be baked into NSA’s future operations, technologies, tradecraft, and policies.” [The Register]

US – 20% of Cybersecurity Positions at DHS Directorate Remain Unfilled

According to the US’s Government Accountability Office (GAO), the Department of Homeland Security’s (DHS’s) National Protection and Programs Directorate’s Office of Cybersecurity and Communications, has more than a 20 percent vacancy rate for jobs. Part of the reason for this is the lag time created by obtaining necessary security clearances for personnel. DHS officials also cite low pay compared to private sector salaries, and the fact that there are not clearly defined skills sets for cybersecurity positions. [GovInfoSecurity]

US – Proposed Legislation Would Amend FISA to Limit Data Collection

US legislators have introduced the Intelligence Oversight and Surveillance Reform Act, which aims to protect people’s privacy without sacrificing security. The proposed bill would amend the Foreign Intelligence Surveillance Act (FISA) by prohibiting bulk gathering of phone records and emails and prohibiting national security letters (NSLs) from being used for bulk collection of data. It would also establish the position of an independent constitutional advocate to “argue against the government when the FISC is considering significant legal and constitutional questions.” [ArsTechnica] [CNET] [SCMagazine]

Telecom / TV

US – Court: Debt Collectors’ Cell Phone Calls Exempt from TCPA

A federal judge in Pennsylvania has ruled the Telephone Consumer Protection Act (TCPA) does not apply to debt-collection calls, even those made to cellular phones. In Roy v. Dell Financial Services, the court relied on an earlier court decision that “all debt-collection circumstances are excluded from the TCPA’s coverage.” The decision conflicts with that of nearly all courts that have examined the issue, the report states. Most have found that calls made using automatic dialing systems violate the TCPA unless “prior express consent” has been given. [insideARM]

US – Vodafone Calls For New Approach to Mobile App Privacy Comms

Mobile operator Vodafone is calling on the app development community to take the lead in communicating to consumers a consistent set of privacy guidelines similar to nutrition labels used by the food industry. Vodafone Global Privacy Counsel Kasey Chapelle said the company is telling mobile app developers and other third parties to help safeguard consumer privacy and to communicate how data is collected and shared with advertisers. “We need to develop short-form , consistent privacy notifications along the same lines as nutrition labeling,” Chapelle said, adding, “Mobile operators can’t play the role that we used to (in terms of protecting mobile users’ privacy) any more as people such as handset manufacturers (Apple for example) get involved (with app stores, etc.).” Vodafone is lobbying third parties through trade organizations such as the GSMA and the Mobile Entertainment Forum, the report states. [Marketing Week]

US – Reddit, Civil Liberties Groups Renew Push for Email Privacy

A coalition of digital civil liberties groups are making a renewed push for a bill to reform the Electronic Communications Privacy Act. The coalition relaunched a website this week that supports the E-mail Privacy Act, a bill that would require the government to obtain a warrant anytime it wanted access to e-mails or documents stored in the cloud. “Internet surveillance is not going to be completely solved until we have a warrant requirement for content, until the Fourth Amendment protections apply fully to the Internet,” said Mark Stanley of the Center for Democracy and Technology—one of the groups advocating for the bill. [Mashable]

US Legislation

US – California Governor Approves Online “Eraser Button”

California Governor Jerry Brown has signed a bill that requires apps, websites, and online services that target minors to offer an “eraser button.” The feature will allow young people to request removal of information that might have negative effects on their chances of getting into schools or gaining employment. The feature must be in place by January 2015. The button does not allow people to request the removal of content others have posted, nor does it require that the content be deleted from sites’ servers. [CNET] [How California Is Shaping Privacy Law]

US – California Gov Signs Tracking Disclosures into Law

California Gov. Jerry Brown has signed into law an amendment to the California Online Privacy Protection Act (CalOPPA) that requires websites to disclose in privacy policies how they react to Do-Not-Track signals, becoming the first state in the U.S. to impose such regulations on operators. As well as requiring operators to inform users about their handling of browsers and other DNT mechanisms, the law requires them to disclose whether they allow third parties to access personal information about users’ online behavior over time and on other sites. Operators who fail to comply with CalOPPA will receive a warning and have 30 days to come into compliance “before being deemed in violation of the law and subject to an enforcement action,” the report states. [rHunton & Williams’ Privacy and Information Security Law blog]

US – California Bill Would Extend Employee Social Media Law to Public Sector

The California Senate has passed a bill that would prevent public agencies from accessing employees’ or potential employees’ personal social media accounts except under certain circumstances. While Labor Code 980 already protects the social media accounts of employees and applicants in private-sector organizations, if Gov. Jerry Brown signs this bill, 980 will be amended to include public entities. The state sheriff’s association and probation officers oppose the bill, saying they won’t be able to appropriately screen candidates. [Lexology]

US – Gov. Signs Bill Allowing Kids to Delete Online Pasts

California Gov. Jerry Brown has signed into law a bill that requires online companies and app developers to give minors the ability to remove their online content. The bill is similar to EU proposals for a right to be forgotten. “A minor with a juvenile record can petition the courts to have it expunged when he turns 18,” said an attorney specializing in Internet privacy. “This new law is akin to what’s already out there in traditional law.” While the law only applies to Californians, companies based outside of the state must comply when dealing with California residents. [610KVNU]

US – UPDATE: Minnesota Off the Hook for DPPA Violation

While an employee of the Departments of Public Safety and Natural Resources may still see charges for inappropriately accessing drivers’ data through the state database, a judge has ruled that the state is not responsible for his alleged violations of the Drivers’ Privacy Protection Act (DPPA). The judge based her ruling on the plaintiffs’ failure “to allege that any act by the state defendants violated the federal Drivers’ Privacy Protection Act—specifically, the complaint does not allege the defendants knowingly ‘obtained, disclosed or used’ any of the plaintiffs’ personal information ‘for a purpose not permitted’ by the DPPA.” [Law360]

US – Senators Address NSA Phone Program; Rival Bills Issued

At least two new bills have been introduced in the Senate addressing the National Security Agency (NSA) phone surveillance program. The Senate Intelligence Committee is looking to swiftly pass legislation that would “change but preserve” the recently revealed dragnet program. The bill, backed by Sens. Diane Feinstein (D-CA) and Saxby Chambliss (R-GA), would require public reports revealing frequency of access by the NSA to the call log database, reduce the retention time from five to two years and require the NSA to send the data it searches to the Foreign Intelligence Surveillance Court for review. A rival bill, backed by Sens. Ron Wyden (D-OR) and Mark Udall (D-CO), would ban the collection program. [New York Times]

US – Sen. Leahy Aims to Revamp NSA Capabilities

Speaking at Georgetown University on September 24, Senate Judiciary Committee Chairman Patrick Leahy (D-VT) said he plans to aggressively pursue legislation to curb the National Security Agency’s surveillance powers. Leahy announced he is working together with USA PATRIOT Act author Sen. Jim Sensenbrenner, Jr., (R-WI) and Sen. Mike Lee (R-UT) to craft the new legislation. “I am convinced that the system set up in the 1970s to regulate the surveillance capabilities of our intelligence community is no longer working,” Leahy said, adding, “In my view—and I’ve discussed this with the White House—the Section 215 bulk collection of Americans’ phone records must end.” [The HIll]

Workplace Privacy

UK – Former Barclays Employee Fired, Fined for Accessing Customer Data

A former Barclays Bank employee has been fined GBP 3,360 (US $5,400) for accessing a customer’s data without permission. Jennifer Addo was found to have accessed the customer’s data 22 times between May and August 2011. The incident came to light when the customer noticed that a friend of Addo’s knew things about him that could only be found out by looking at information in the bank’s possession. Barclays terminated Addo’s employment shortly after the customer registered a complaint. [v3.co.uk] [Information Age] [Credit Today] See also: [I Spy With My Corporate Eye: The Employee Services Conundrum]

 

 

+++

01-15 September 2013

Biometrics

US – U.S. to Expand Data Sharing Overseas

The Department of Homeland Security plans to expand foreign biometric data sharing. The Office of Biometric Identity Management (OBIM), now five months old, will use a $33 million contract with Accenture to decrease the time, cost and personnel required to share U.S. biometric data with the UK, New Zealand, Canada and Australia. OBIM provides biometric data to federal, state and local governments to deal with immigration violators, criminals and known or suspected terrorists, OBIM’s deputy director said, adding it aims to improve biometric data-sharing and increase interoperability among the U.S. Departments of Defense, Justice and State. Meanwhile, the U.S. and Japan seek to formalize an agreement on sharing fingerprints of convicted criminals. [FCW] SEE ALSO: [US: Ohio scrambles to secure facial recognition system]

WW – Apple Releases Include Fingerprint Sensor

Apple has released two new iPhones, including a model with a fingerprint sensor that can be used instead of a passcode. In response to privacy concerns, Apple says user fingerprints will only be stored on the phone and will not be shared with app developers. The release is symbolic of a number of new on-the-market devices that use biometric authentication tools. A new wristband, Nymi, contains a voltmeter to read heartbeats. “You put it on. It knows it’s you. It communicates that identity securely to everything around you,” said the wristband’s creator. The biometric devices come on the heels of the recent discovery that even a 55-character password could be broken. [New York Times] [WSJ: Apple’s Fingerprint Feature and Pleading the Fifth] [Apple provides details on Touch ID’s privacy features] [What NSA snoops like about the iPhone] and [Thieves may mutilate owners in bid to gain access to fingerprint-reading handsets, expert warns] and [Canadian company puts password protection a heartbeat away]

WW – NIST: Iris Recognition Authentication Method Needs Some More Work

Federal researchers have reconfirmed the reliability of the iris as an authentication factor. But we’re at least 3 years away from using iris scanning as an advanced method of user authentication for IT systems. What’s holding back iris recognition as an authentication tool to access information on IT systems? According to experts, there are three main reasons: size, cost and culture. Specialized iris-reading cameras are too big to fit into the form factor of a laptop, smart phone or tablet. To be practical, an iris camera needs to be shrunk to the size of a webcam. For now, most iris cameras are much larger. Iris-reading cameras are too costly to be economically feasible to build into user devices – even if they could fit. Iris scanners and cameras cost hundreds if not thousands of dollars each. Imagine what that would do to the cost of a laptop of tablet. Another barrier: The IT security culture. When addressing authentication, many organizations’ IT security groups focus on something the user knows (password) or something the user has (token) and not on who the user is (biometric). That type of thinking needs to change. [Source    ]

Canada

CA – OIPC: GPS Tracking of Employees Is OK

BC’s Office of the Information and Privacy Commissioner (OIPC) has ruled that two elevator companies in the province can continue to use GPS technology to keep tabs on their employees. The employees had filed complaints that the practice violated their privacy. The OIPC did rule, however, that one of the companies must temporarily suspend the practice until it provides better notice to workers about data collection and use. One privacy advocate says the case indicates the need for new discussions about tracking given advances in technology since legislation on the matter was crafted. Meanwhile, Postmedia News suggests appropriate privacy policies can help keep employers out of trouble. [The Canadian Press]

CA – How to Keep Your Home’s Purchase Price Secret

Clients often ask whether I can keep the price they are paying for their home off the title record. The main reason is for privacy. They don’t think it is anybody’s business but theirs. You can do it if you pay the land transfer tax in advance. The tax is usually paid by your lawyer, but you can do it yourself. If that’s the case, you must include these documents with your request: A cover letter from the lawyer; A copy of the original agreement of purchase and sale; The draft deed to be registered on closing; A copy of the statement of adjustments; Three signed land transfer tax affidavits; and A certified cheque payable to the Ministry of Finance for the amount of land transfer tax owing. The Ministry will then provide your lawyer with a special code to be entered on closing, to confirm that the land transfer tax has already been paid. If the house is in Toronto, you will also have to pay the municipal Land Transfer Tax. In order to pre-pay this tax, there is a similar process that must be followed but you have to send the material to a different location. In all cases, what will show on your title after closing is either zero or $2 for the price paid. [Source]

CA – Saskachewan Privacy Commissioner Says SGI ‘Over Gathering’ Information

Saskatchewan’s Privacy Commissioner says SGI needs to stop “over gathering” medical information about crash victims, but the government-owned insurer says it’s not up to the commissioner to pass judgment. The latest report from Gary Dickson details the case of a woman who made an injury claim after a collision. SGI told her they would need medical files related to injuries to her neck and back.

But the report shows SGI gathered all of her medical files, including a reference to a sexually-transmitted disease the woman had years earlier. SGI did not explain why it gathered that information. It also says accident claims do not fall under the Privacy Commissioner’s jurisdiction. The information watchdog disagrees. [Source] [Saskatchewan Commissioner concerned] See also: [Ontario Liberals look for place to store 1.4 million boxes of government records]

Consumer

WW – Survey: 86% of ‘Net Users Mask Footprint; Scared of Peers More than Gov’t

According to a recent survey, 86% of Internet users have taken at least one step to remove or mask their digital footprints online, and 55% have taken steps to avoid observation by certain people—including organizations or the government. The survey, conducted in July by the Pew Research Center’s Internet & American Life Project, examined 792 adult Internet users’ responses. Given recent revelations about U.S. government access to data, Director Lee Rainie said he was surprised to find that respondents were more concerned with hiding data from people they knew than the government or law enforcement. [Full Story]

WW – Consumers: Forget Screen Size, Cameras; Sell Us Privacy

Consumers are now more concerned about privacy in the use of their mobile phones and apps than they are about screen size, brand, weight or camera resolution. That’s according to TRUSTe’s 2013 Consumer Data Privacy Study, which polled more than 700 U.S. smartphone users. Only a phone’s battery life topped privacy when users’ prioritized their concerns. [Full Story] SEE ALSO: [Canada’s Moral Compass Points to Apathy on Online Privacy]

US – Insurer Wants Out of Breach Coverage in ZIP Code Case

Consumers in California, Massachusetts and Washington, DC, are suing Urban Outfitters, Inc., and its subsidiary, Anthropologie, Inc., for collecting ZIP codes during credit card transactions. OneBeacon American Insurance Company says the retailer’s insurance doesn’t cover such privacy issues, the report states, and is asking a federal judge to absolve it of any obligation in the case. [Main Justice]  For a primer on this issue, see Angelique Carson’s report, with a guide to zip code law.

US – Project Aims to Educate About Digital Footprints

A National Science Foundation-funded project called Teaching Privacy and a related online tool lets users track the location of Twitter and Instagram users. Both the project and the “Ready or Not “ tool aim to educate individuals—particularly high school students—about online privacy and how our personal information forms a digital footprint. Expanding on the Ready or Not geo-tracking tool, Gerald Friedland, an International Computer Science Institute researcher working on the Teaching Privacy project, said, “Most people…do not know that if you tweet something this location data is actually publicly available.” The researchers are also working on a study showing that an anonymous account holder of a service such as Yelp can have reviews cross-referenced with location data and timestamps on other services to reveal the user’s identity. [GigaOm]

JP – Tokyo Taxis Alert Passengers When They Leave Something Behind

Each taxi will be equipped with four cameras; one under the driver’s seat, one under the front passenger seat, one on the ceiling and one in the taxi’s trunk. The system works by comparing before and after images of the areas photographed. If the system detects an item left behind, such as a purse or a mobile phone, it instantly sounds an alarm, allowing the passenger to retrieve his or her belongings before the taxi drives off. To address privacy concerns related to the new system, the company claims the system won’t capture clear images of the faces and signs will be posted inside the vehicles to alert passengers of the cameras. It was reported that Tokyo drivers reported to police 210,000 objects left behind in their cars last year. The company also claims that it has recovered a vast range of items from its cars over the years. It says that mobile phones account for about 60 per cent of objects left behind. [Source]

E-Government

US – Employees Improperly Used Driver’s License Database: Suit

18 people plan to file a lawsuit in Minneapolis federal court, claiming that government employees in Winona and more than 50 other Minnesota counties and cities violated their privacy by inappropriately using the state’s driver’s license database. The complaint alleges that “government officials targeted citizens based on their political involvement” and searched private information using the database, commonly used by law enforcement. Attorney Erick Kaardal, who represents the accusers, said he plans to reveal evidence of more than 600 illegal searches by employees of municipalities. The state’s driver’s license database made news last year, when a Department of Natural Resources employee was accused of using it to access the records of thousands of people, the vast majority of whom were women. A February 2013 report from the state legislative auditor’s office found numerous cases of abuse, including a case where 88 law enforcement employees misused the database, and some continued to after leaving their job. The report found that more than half of law enforcement personnel who used what’s called the Driver and Vehicle Services database had searched information on people with their same last name, or searched primarily for either women or men during 2012. “Law enforcement personnel have used their access to driver’s license data for non-work purposes or work purposes that are not allowed by state law,” the report found. The office’s report said monitoring, accountability, and training all need to be strengthened. [Source]

E-Mail

US – Lavabit Owner Appealing Surveillance Order

Lavabit owner Ladar Levison has appealed the secret surveillance order received from the US government that prompted him to shutter his business in August. The details have been placed under seal. The surveillance order forbids Levison from disclosing what the government has asked of him or who its target was. [WIRED]

US – Archives: Federal Workers May Use Secret Emails

Administration officials and other federal workers may continue to use secret government email accounts to conduct official business as long as the messages are safely preserved and turned over when they are sought under the Freedom of Information Act, the nation’s record-keeping agency said. New rules from the National Archives and Records Administration follow an Associated Press investigation earlier this year that found that some Obama administration political appointees used government email accounts that were not disclosed to the public or to congressional officials. On Tuesday, U.S. Archivist David Ferriero told a House oversight hearing that he doesn’t care how many email addresses government officials use. But Republican lawmakers said multiple email accounts, while could be useful for organizing large numbers of emails, may complicate efforts to pinpoint which accounts belong to whom. [Source] SEE ALSO: [Deleted emails in power plant scandal prompts push for training] and [Google lawsuit stirs debate over email privacy rights]

Electronic Records

US – ONC Releases Guidance on Interoperable E-Health Exchanges

The Office of the National Coordinator for Health Information Technology has released guidance in order to facilitate interoperable electronic health information exchanges. While many healthcare providers qualify for Medicare and Medicaid electronic health record incentive payments under the HITECH Act, there are many providers that are ineligible for such payments. The guidance aims to “serve as a building block for federal agencies and stakeholders to use as they work with different communities to achieve interoperable electronic health information exchange.” [Source]

CA – MGS Statement on Commissioner Cavoukian’s Special Report

Minister of Government Services John Milloy made the following statement on the actions taken to comply with the recommendations in the Special Report on the records management practices of political staff: “I want to thank the Information and Privacy Commissioner again for her report and for meeting with me in June. Our government takes its recordkeeping obligations seriously and we are committed to being open, accountable and transparent. Addressing Dr. Cavoukian’s recommendations has been a top priority to ensure that situations referred to in her report do not happen again. I want to thank both the offices of the Information and Privacy Commissioner and the Integrity Commissioner for working with our government on these important issues. The actions we are announcing today address all of Dr. Cavoukian’s non-legislative recommendations, including:

  • Developing a mandatory training program for all political staff to ensure that staff are fully aware of and trained in their records management obligations;
  • Creating a working group of Premier’s Office staff, Cabinet Office staff and Ministry of Government Services staff to clarify and strengthen the government’s records retention policies and practices so that they can successfully be put into practice;
  • Appointing ministers’ chiefs of staff and the Premier’s chief of staff as the persons accountable for the implementation and compliance with records management policies in each of their respective offices and appointing a senior advisor in the Premier’s Office to provide advice and guidance to all offices on these issues; and,
  • Improving archiving requirements by conducting a review of the archiving schedules.

The Premier has also issued a directive to all political staff underlining the serious obligations of staff to manage records in accordance with approved records retention schedules, and to complete mandatory training. [Source] and [Statement from Commissioner Cavoukian in response to September 4 statement by the Minister of Government Services]

Encryption

WW – NSA Undermines High Level of Internet Encryption

The latest leak from former government contractor Edward Snowden reveals the U.S. National Security Agency has “circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, web searches, Internet chats and phone calls of Americans and others around the world,” according to a multi-pronged report by The New York Times, ProPublica and The Guardian . Since 2000, the agency has invested billions of dollars to influence international encryption standards and force technology companies to provide backdoor access to encrypted communications. The ACLU’s Christopher Soghoian said the programs are “making the Internet less secure and exposing us to criminal hacking, foreign espionage and unlawful surveillance,” adding that it “will further erode not only the United States’ reputation as a global champion of civil liberties and privacy but the economic competitiveness of its largest companies.” [Full Story] See also: [Real privacy means oversight – Op-Ed: Ann Cavoukian, Ron Deibert, Andrew Clement and Nathalie Des Rosiers The Globe and Mail] and [Canada complicit in undermining Internet privacy: Geist] and [US: Johns Hopkins reverses decision forcing prof to pull NSA post] and [US – Poll: Public Doubts Rise on Surveillance, Privacy] and [Ontario Privacy Watchdog Is Not Amused With The NSA] and [Schneier on NSA’s encryption defeating efforts: Trust no one]

WW – Google Encrypts Data Amid Backlash Against NSA Spying

Google is racing to encrypt the torrents of information that flow among its data centers around the world in a bid to thwart snooping by the NSA and the intelligence agencies of foreign governments, company officials said. The move by Google is among the most concrete signs yet that recent revelations about the NSA’s sweeping surveillance efforts have provoked significant backlash within an American technology industry that U.S. government officials long courted as a potential partner in spying programs. Google’s encryption initiative, initially approved last year, was accelerated in June as the tech giant struggled to guard its reputation as a reliable steward of user information amid controversy about the NSA’s PRISM program, which obtains data from American technology companies, including Google, under various legal authorities. Encrypting information flowing among data centers will not make it impossible for intelligence agencies to snoop on individual users of Google services, nor will it have any effect on legal requirements that the company comply with court orders or valid national security requests for data. But company officials and independent security experts said that increasingly widespread use of encryption technology makes mass surveillance more difficult — whether conducted by governments or other sophisticated hackers. [Source]

EU Developments

EU – MEPs Call for Halt to Anti-Terror Program

Amidst ongoing U.S. National Security Agency surveillance program revelations, Members of the European Parliament (MEPs) are calling for “the immediate suspension” of the Terrorist Finance Tracking Program (TFTP). “I think there is more than enough evidence to call for a suspension,” said Dutch MEP Sophie in’t Veld. The TFTP allows the U.S. Treasury access to data that international bank transfer company Swift stores in Europe, but NSA revelations indicate the U.S. spied on Swift, the report states. German MEP Jan Philipp Albrecht said, “The NSA surveillance is an open breach of the agreement and further undermines the already insufficient data protection given to European citizens under the deal.” [CIO]

EU – New Data Breach Notification Requirement in Effect

SC Magazine reports on the new data breach reporting requirement in the EU. The requirement took hold last week and requires telecommunications and Internet service providers in the EU to report a data breach to authorities within 24 hours of the moment the breach is discovered. Meanwhile, Laura Vivet Tañà examines the proposed EU data protection regulation’s breach notification rule, including such key elements as what should be considered as a personal data breach, the notification requirement and consequences of a security breach. [Full Story]

EU – Safe Harbor May Be Controversial in the EU, But It Is Still the Law

Safe Harbor has become a target for retribution in light of revelations about the National Security Agency’s PRISM program. It has come under fire from Rapporteur Jan Albrecht and the Article 29 Working Party, among others. While various officials have promised reviews and improvements to the framework, none have yet been released. Damon Greer, who directed the EU-U.S. and Swiss Safe Harbor frameworks from 2006-2011, discusses Safe Harbor’s fate. Full Story

Filtering

EU – Mosley Wants Censorship Google Isn’t Willing to Give Up

Former Formula One boss Max Mosley wants Google to set up a personal filter to stop personal images of him from appearing on the search engine. The images of Mosley were ruled to be a breach of his privacy rights by a UK court in 2008. Google is willing to remove links to sites where the images are used, the report states, but says setting up a permanent filter for the pictures would mean an “alarming new model of automated censorship,” the report states. [Financial Times]

Finance

US – CFPB Seeks to Monitor Credit Card Transactions

Officials at the Consumer Financial Protection Bureau (CFPB) are seeking to monitor 80% of all U.S. consumer credit card transactions this year through a controversial data-mining program. A CFPB planning document for fiscal years 2013-17 indicates plans for a “markets monitoring” program as well as plans to monitor up to 95% of mortgage transactions. “This is one step closer to a Big Brother form of government where they know everything about us,” said Rep. Sean Duffy (R-WI) at a hearing on the matter last week where critics asserted the agency’s plans are beyond its authority. [Washington Examiner]

WW – G20 Countries to Share Tax Records to Crack Down on Cheats

Tax records will be shared around the world by 2015 as part of a G20 pledge to crack down on individual tax cheats and global corporations with complicated arrangements aimed at paying as little tax as possible. The topic of taxation in a global economy has become a major political issue of late, as multinational firms like Apple and Starbucks have faced scrutiny over their corporate structures. Further, investigative reports into the use of offshore tax havens by the world’s wealthiest individuals added momentum to the view that governments are getting short-changed of much needed revenue. As business increasingly moves online and international, cash-strapped governments approved an aggressive timeline to adopt the automatic exchange of tax information among the G20. The deal was solidified after China, the last holdout, agreed to the plan just days before the summit in St. Petersburg. A proposed U.S. law requiring foreign governments – including Canada – to report banking information involving U.S. citizens has already ran into concerns from the Canadian government and attracted the attention of Canada’s privacy commissioner. Questions of privacy will likely increase given that the G20 includes non-democratic countries where human rights are a concern, including China and Saudi Arabia. [Source]

FOI

WW – Internet Giants Make New Push for FISA Transparency

As gloomy predictions about the impact of privacy fears on the Internet economy grow ever more frequent, and major concerns about the future of the Internet are expressed, big firms like Facebook, Google, Yahoo and Microsoft have stepped up their efforts in petitioning the U.S. government to allow them to share more about government requests for data with their customers. Computerworld sums up a number of the blog posts from these companies, which outline their legal efforts toward transparency. “The actions and statements of the U.S. government have not adequately addressed the concerns of people around the world,” wrote Facebook general counsel Colin Stretch, in his post. Full Story

US – Yahoo Issues First Gov’t Transparency Report

Yahoo’s first government transparency report indicates the company “received 12,444 requests for data from the U.S. government so far this year” related to the accounts of 40,322 users. Of those requests, “37% disclosed the content of Yahoo accounts, such as words in e-mails, photos or uploaded files. In about 55% of the requests made, the company disclosed information about its users that did not involve content but gave information such as names, location data and e-mail addresses.” To date, the report states, Yahoo has rejected “two percent of those federal government requests.” [The Washington Post] SEE ALSO: [Toronto Mayor Rob Ford’s office on ‘honour system’ to release all requested records]

US – Internet Companies Seek Permission to Disclose Gov’t Data Requests

Facebook, Google, and Yahoo have filed a petition with the US Foreign Intelligence Surveillance Court, seeking permission to disclose more information about secret data requests made by the government. The companies are stepping up their push because earlier efforts, made in the wake of revelations about the existence of PRISM and other government surveillance programs surfaced earlier this summer, were not successful. The companies want to disclose detailed information about national security requests made under FISA. Google has asked that the hearing be made public. [NBC News] [CNET] [ComputerWorld]

Genetics

EU – Proposed DNA Bill in Ireland Leans Toward Destruction

Minister for Justice Alan Shatter has published a bill on the establishment of a national DNA database. The bill takes into account privacy concerns about earlier versions of the bill on destruction of samples and deletion of DNA profiles, among others. Shatter’s bill would allow authorities to take DNA samples from most criminal suspects but the default would be in favor of the destruction of such samples when an individual is not convicted. [Irish Times]

WW – What Happens if Newborns’ Entire Genomes are Screened?

U.S. government is funding studies on what happens if you screen newborns’ entire genomes. The aim of the study is to find out if the data results in better healthcare or simply data overload. “We would like to see if genome sequencing can shed light on disorders that we don’t screen for currently,” said National Institute of Child Health and Human Development Director Dr. Alan Guttmacher, adding there are questions involved. “How do we protect the baby’s privacy? Where will the baby’s genome data be stored, and who will have access to it?” [NBC News] SEE ALSO: [The Privacy Conundrum And Genomic Research: Re-Identification And Other Concerns]

Google

US – Google Case Can Proceed, Appeals Court Rules

A federal appeals court in San Francisco has said a lawsuit accusing Google of illegal wiretapping can proceed. The case involves Google’s Street View initiative, in which Google vehicles collected e-mail, passwords and other personal information from unencrypted home networks. Google wanted the case dismissed, arguing the data it accessed was exempt from the Wiretap Act because it was readily accessible to the general public. The appeals court agreed with an earlier federal court’s ruling, reasoning that, “Even if it is commonplace for members of the general public to connect to a neighbor’s unencrypted Wi-Fi network, members of the general public do not typically mistakenly intercept, store and decode data transmitted by other devices on the network.” [The New York Times]

US – Federal Appeals Court Denies Google’s Bid to Dismiss Street View Lawsuit

The US 9th Circuit Court of Appeals has ruled that Google’s inadvertent harvesting of users’ personal information from unprotected Wi-Fi routers while collecting data for Street View is not exempt from the Wiretap Act and that the company may be held liable for civil damages. Google had sought to have the lawsuit dismissed, arguing that transmissions over Wi-Fi networks are “readily accessible to the general public.” [WIRED] [Ars Technica] [ComputerWorld] [ZDNet] [BBC.co.uk]

US – Google Wants “Precedent-Setting” Case Dismissed

Google has asked for a case against it, concerning its alleged electronic scanning of Gmail users’ e-mails for the purpose of sending targeted ads, to be dismissed. In a San Jose, CA, court on Thursday, Google said “all users of e-mail must necessarily expect that their e-mails will be subject to automated processing.” The suit was filed on behalf of 10 people and is expected to be certified as a class-action. It’s also predicted to be a “precedent-setting case for other e-mail providers,” the report states. [Associated Press] SEE ALSO: [Google security exec: ‘Passwords are dead’]

Health / Medical

US – New HIPAA Rules Require Revised Notices; Deadline Looms

Earlier this year, the Department of Health and Human Services Office for Civil Rights released omnibus regulations changing significantly HIPAA’s privacy, security, enforcement and breach notification rules. An article for Boston’s WBUR looks at what the changes mean for patients. Under the changes, covered entities must update and post a revised notice of privacy practices before September 23. In this report for Lexology, attorneys from Wilson Elser describe what such notices must include. Meanwhile, California lawmakers are considering proposing stricter HIPAA regulations. [Full Story] SEE ALSO: [US: Your Cat’s Name Could Soon Be Your “Personal Information”]

US – FTC Files Complaint Against LabMD; Companies Suffer Breach Fallouts

The FTC has filed a complaint against medical testing laboratory LabMD, Inc., alleging the company failed to reasonably protect consumers’ personal data, including medical information. The FTC alleges that in two incidents LabMD collectively exposed 10,000 consumers’ personal information. Meanwhile, the insurance company for Schnuck Markets has filed a lawsuit against the company seeking release from liability after a data breach earlier this year, and The University of Texas has informed patients of a data breach after a laptop containing their personal data was stolen. In Florida, the State Department of Health is the subject of criticism over new proposals regarding an online prescription database. And the U.S. Department of Energy has disclosed new information on a data breach affecting more than 14,000 employees. [Full Story]

US – Surgery Photo Prompts Privacy Concerns

A former patient has filed a civil lawsuit against a Los Angeles-based medical center after her doctor and his assistant decorated her face and took a photo while she was unconscious during a surgery. The state also investigated the case. The incident, as well as another involving a salesman taking a photo of a naked patient without the patient’s knowledge, has sparked concerns about mobile devices in healthcare facilities. “The idea that people are using their cellphone or even have one in the operating room is crazy,” said Deborah Peel, founder of Patient Privacy Rights. “It’s a massive security risk and incredibly insensitive to patients.” [Los Angeles Times] [Surgery photo leads to privacy lawsuit against Torrance Memorial]

Horror Stories

US – Hacker Accesses Two Million Vodafone Accounts

An intruder “with insider knowledge” hacked into a Vodafone server located in Germany and gained unauthorized access to approximately two million customer accounts. Compromised personal information include names, addresses, dates of birth and bank account information but did not include credit card information, passwords, PIN numbers or phone numbers, according to a company statement (in German). According to the report, Vodafone shares fell 0.8% yesterday. The attack was detected earlier this month and was halted. [Bloomberg] SEE ALSO: [Wal-Mart investigates privacy breach at Regina store]

US – Court Reverses Heartland Negligence-Claim Ruling; Case Proceeds

Following the 2008 data breach at Heartland Payment Systems, several banks that had issued credit cards to customers affected by the breach alleged they incurred significant costs by replacing the cards of impacted customers and refunding fraudulent charges, writes attorney Stephen Shapiro. While a trial court dismissed the negligence claim, citing New Jersey’s economic loss doctrine, a Fifth Circuit Court has reversed the ruling, allowing the case to proceed. [Source]

US – Schools, Council Investigate Breaches

The Medical University of South Carolina sustained the largest breach of its history between June 30 and August 21 after a third-party credit card processing company compromised 7,000 patients’ data. Meanwhile, parents of 130 children at two elementary schools in Virginia say their children came home with other students’ sensitive data, prompting fears of identity theft. The Washington Post reports Washington, DC’s privacy officer has “serious concerns” after a paramedic wrote a letter to the DC Council that included a patient’s data, and the University of South Florida is investigating a data breach caused by an employee. [HealthITSecurity]

US – Breach Settlements and Class-Actions Filed

A recent dismissal of a case arising from a credit card skimming attack suffered by Barnes & Noble by the U.S. District Court for the Northern District of Illinois demonstrates the struggle plaintiffs face in trying to articulate injury, write attorneys for Ropes & Gray, LLP. Meanwhile, ModernHealthcare discusses the legal consequences of a recent and massive data breach at Advocate Health Care. MediaPost News reports on both a potential class-action filed in Illinois accusing Google of violating its privacy policy and on Netflix users’ request that a $9 million settlement of a class-action lawsuit be nixed. [Full Story]

Identity Issues

US – Aggregator to Show Users Their Data

Data aggregator Acxiom is planning to unveil a free website where U.S. consumers can view the data the company has collected on them. Users who visit AbouttheData.com will view data on themselves including homeownership status, vehicle details, recent purchase categories and household interests. The site will allow users to click on icons to view the source the aggregated data came from originally. Axciom’s CEO says the company aims to alleviate consumer fears on data aggregation by being more transparent. Meanwhile, a new UK platform allows users to sell direct access to their data to bidding companies. [The New York Times] [US: Acxiom Lets Consumers See Data It Collects] SEE ALSO: [Dear Janice Lokelani Keihanaikukauakahihuliheekahaunaele: Your name is way too long for your ID]

SK – South Korea Steps Up Authentication Measures to Fight Financial Fraud

In an effort to combat cyber fraud, South Korea’s Financial Supervisory Service (FSS) says that as of September 26, 2013, people who conduct online transactions with banks, insurance companies, brokerage firms, and other financial institutions will be required to identify themselves through text messages or automated response systems. [ZDNet] [

CA – Protect New Passport from Hackers: Expert

AS of July 1, Canada joined several other countries and added computer chips to all new passports — they carry the passport information and a digital photo. An airport reader scans the passport and accesses the information on the chip in order to verify the identity of the pass-holder. The chips in the new passports work on radio-frequency identification, the same technology used in security ID cards and door readers. It is also the same technology that some smartphones have, using near field communication (NFC), which lets smartphones communicate by bumping, or lets people pay for parking using their smartphones. An NFC-enabled smartphone can access the data on chip-enabled passports using an app, giving the user access to the data in 30 seconds. The app is one of several similar apps available in the Android app store. If a user can enter the passport number, date of birth of the holder and date of expiry, they can access the information on the chip, including a digital version of the passport picture, with one tap of their phone. Rick Dykstra, parliamentary secretary to Citizenship Minister Chris Alexander, said the passports are still safer than the previous non-chipped versions. “Are they perfect? No. There are always fraudsters and hackers out there who will continue to try to take advantage, but we believe that we’re building a passport that is many times stronger and safer than the previous passport,” Dykstra said. There are ways to protect passports from being read, Neville said, recommending people protect their passports by placing them in RFID-proof cases, which surround the passport and prevent signals from coming in or going out, unless the passport is taken out of the case. American passports, for example, have that RFID-proofing built into their covers so they can only be scanned when opened. [Source]

UK – Government Signs First ID Assurance Contracts for Online Transactions

The UK government has signed contracts with the Post Office, Verizon, Experian, Digidentity and Mydex for the supply of the first live identity assurance services to drive secure online government transactions. The new cross-government identity assurance framework will see the contractors providing a service to enable people to assert their identity online without security concerns. The development of the identity assurance service will be managed by the Cabinet Office. PayPal, Cassidian and Ingeus have also been awarded a place on the identity assurance framework. The GDS (Government Digital Services) has undertaken a redesign of 25 of the most-used transactional public services in a bid to make them simpler and easier to use. The services include electoral registration, patent renewals and Universal Credit. [Source] See also: [Account Takeover: The Fraudsters’ Edge]

Intellectual Property

UK – ISPs to Collect Data on Illegal Downloaders – Reports

Media companies have asked UK broadband providers to collate info on illegal downloaders, which could violate data protection laws. Those caught committing piracy could be subject to internet throttling and even prosecution. In an attempt to clamp down on the illegal downloading of music and films, the British Phonographic Industry (BPI) and the British Video Association have requested BT, Virgin Media, BSkyB and TalkTalk to record information on piracy. The new code of conduct would oblige the companies to gather data on illegal downloaders and store it in a database. The information could then lead to repeat offenders having their internet cut-off or being prosecuted. Internet users will reportedly been given warnings by letter before these measures are taken, reports the Guardian. The move has attracted controversy amid speculation that it may violate the Data Protection Act, as the law says that companies may only retain personal data relating to a client if it is for commercial purposes. The proposal comes as part of a nationwide clampdown on growing internet piracy. Between November 2012 and January 2013, UK watchdog Offcom reported that 280 million music tracks had been pirated, as well as 52 million television programs. Furthermore, Offcom found that 18% of internet users aged over 12 had recently committed internet piracy, while one 9% actually fear getting caught. [Source]

Internet / WWW

WW – Experts Want Web Security Rewritten

Internet security experts are calling for a campaign to rewrite web security following news that the U.S. National Security Agency is capable of breaking millions of sites’ encryption codes. But that’s a task that would be extremely difficult, the experts admit. “A lot of our foundational technologies for securing the Net have come through the government,” said researcher Dan Kaminsky, adding, “As much as I want to say this is a technology problem we can address, if the nation states decide security isn’t something we’re allowed to have, then we’re in trouble.” Meanwhile, Chris Matyszczyk writes for CNET that trusting corporations over the government when it comes to data privacy is flawed logic. [Reuters]

WW – Academics Explore the Intersection of Privacy and Big Data

In anticipation of the Future of Privacy Forum and Stanford Center for Internet and Society workshop on meeting the challenges of Big Data and privacy, Stanford Law Review has released its 2013 Symposium Issue with contributions from academics and other privacy experts. Academic works cover topics such as Big Data rewards, classification and fairness, paradoxes of Big Data, “preemptive analytics” and public vs. nonpublic data. Meanwhile, a new post by Ari Waldman in Concurring Opinions explores the “sociology of privacy.” [Full Story]

Law Enforcement

US – Law Enforcement Surveillance Tools Abound

Ars Technica reports on BlueJay—a “Law Enforcement Twitter Crime Scanner.” The program provides real-time access to the “firehose” of public tweets so police can track suspects, keywords, locations, public events, social unrest and department mentions. The Verge reports on Italian-based firm Hacking Team and how the small tech security firm started from two programmers who created a suite of hacking tools. The Milan police eventually contacted the programmers with the intent of purchasing their hacking tools. Hacking Team now boasts 40 employees and sells commercial hacking software to law enforcement in “several dozen countries” on “six continents.” Meanwhile, a recent Foreign Intelligence Surveillance Court opinion states the Edward Snowden leaks “have engendered considerable public interest and debate about Section 215.” [Source] SEE ALSO: [UK: Dozens of police workers being investigated every year for missing force computers to obtains confidential information]

US – ACLU Report Voices Qualms With License-Plate Scanning

Approximately 75% of U.S. police departments are using or plan to use license-plate scanning technology to help solve crimes. The American Civil Liberties Union (ACLU) says the technology has the potential to collect data on innocent Americans and can be used in ways that violate privacy. “In our society, it’s a core principle that the government doesn’t watch people’s innocent activities just in case they may be connected with a crime,” said Allie Bohm of the ACLU, adding that often “police are retaining this data indefinitely with few privacy protections … It can reveal people’s political views, religious activities and a lot of other personal information.” [Business Insider] SEE ALSO: [AUS: Queensland Premier Campbell Newman says civilians will take place of police in speed camera vans on back of Keelty review] [AUS: NSW Police to be quizzed over numberplate photography data as part of report into privacy]

US – Attorney General Launches Database Probe

Following law enforcement’s increasing use of facial-recognition software, Ohio Attorney General Mike DeWine has requested a review of a law enforcement database. The Ohio Law Enforcement Gateway allows about 300 Ohio law enforcement agencies to access records in a sex-offender registry, driver’s license and motor vehicle registration files and criminal history. There are more than 30,000 approved users. DeWine has formed a working group to discuss safeguards against hacking and privacy violations. [The Columbus Dispatch] See also: [Victoria Police want you to send them photos of distracted drivers]

Location / Mobile

WW – Group Releases Privacy Notice Generator

MEF, a mobile content and commerce industry trade organization, has launched a privacy notice generator for app developers, and the goal, according to the group’s press release, is “to build consumer trust in mobile apps by helping developers apply best practice in the collection and sharing of personal data.” By checking off boxes detailing what data is collected, the free online tool “produces a bespoke privacy policy as HTML code that can be customized and embedded directly into the developer’s application.” Future of Privacy Forum Executive Director Jules Polonetsky said, “AppPrivacy is a useful resource that will help developers effectively and easily create a mobile-friendly privacy policy.” [Bloomberg]

Online Privacy

US – Company Admits Facebook Privacy Violation

HasOffers, a company that provides tools for tracking the performance of online ads, has acknowledged it “recently ran afoul of Facebook’s user privacy policies, and it has had to change its marketing practices.” The company’s CEO noted the company’s “MobileAppTracking platform inappropriately allowed advertisers to obtain device-level attribution and performance data. This was a mistake on our part.” Meanwhile, U.S. Sen. Al Franken (D-MN) has written to Facebook’s Mark Zuckerberg urging the company to rethink plans to use profile photos for tagging suggestions, citing concerns about facial recognition and its ability to track people in the “real world.” [VentureBeat]

WW – Facebook Flaw Allowed Hackers to Delete Posted Photos

A security flaw that allowed hackers to delete any image stored on Facebook has been discovered by Indian researcher Arul Kumar — and he has been rewarded for his efforts. The Facebook flaw, explained in length on Kumar’s blog, exploits the Facebook Support Dashboard. Considered “critical,” the bug works with any browser and any version, but was most successfully exploited through mobile devices. The Facebook Support Dashboard is used to send Photo Removal requests to the firm. Reports are reviewed by Facebook employees, or alternatively reports can be sent directly to the image’s owner. A link is then generated to remove the photo — which if clicked by the owner, removes the offending image. However, while sending the message, two parameters — Photo_id & Owners Profile_id — are vulnerable. If modified, then the hacker could receive any photo removal link within their inbox, without the owner’s interaction or knowledge. Every photo has an “fbid” value, which can be found through a Facebook URL. After the image ID has been secured, then two Facebook user accounts — where one would act as a “sender” and one as a “receiver” — can be used to receive a ‘remove photo link’. Owner profile IDs can be found by using Facebook Graph. [Source]

WW – Will Going Public Diminish Privacy on Twitter?

News that microblogging site Twitter plans to go public has prompted some to ask whether certain privacy functions on the site will have to go by the wayside to help generate revenue. The company plans to exact a $15 billion IPO on $500 million of revenue and, to help boost its bottom line, Twitter may have to do away with its Do-Not-Track option. The report also questions whether Twitter may cease publishing its transparency reports and how much it will comply with foreign government requests to remove or share user data. “As the social media company executes its plans to expand abroad,” the report states, “it has much less of an incentive to get into spats with foreign governments over user data.” [Blouin News]

US – Facebook Delays Planned Policy Changes

Following heat from six major consumer privacy groups, Facebook says it will delay planned changes to its privacy policies. The coalition asked the U.S. FTC to block the changes, arguing they would make it easier for Facebook to use user data to endorse advertisements without their consent. “We are taking the time to ensure that user comments are reviewed and taken into consideration to determine whether further updates are necessary, and we expect to finalize the process in the coming week,” Facebook said in a statement. [Los Angeles Times]

US – Coalition Asks FTC to Block Facebook Policy Changes

A coalition of six major consumer privacy groups has asked the FTC to block coming changes to Facebook’s privacy policies. The coalition—which includes EPIC, the Center for Digital Democracy, Consumer Watchdog, Patient Privacy Rights, U.S. PIRG and the Privacy Rights Clearinghouse—says the changes would make it easier for the site to use users’ data. The coalition wrote a letter to the FTC stating the changes violate a 2011 settlement and order with the FTC. [The New York Times]

WW – HP Launches Regulatory-Compliance Service

Hewlett-Packard (HP) has launched a service that aims to help organizations comply with government privacy regulations. HP’s Data Privacy Services contains a suite of services addressing data sanitization, defective media retention and comprehensive defective material retention. “What we’re seeing is demand for this type of service from customers, driven by compliance and liability concerns about leakage of data,” said an HP spokesman. [eWEEK]

US – California to Require Do-Not-Track Disclosures

The California Senate and Assembly passed an amendment to the California Online Privacy Protection Act, which the governor is expected to sign, that will require commercial websites and services that collect personal data to disclose how they respond to Do-Not-Track signals. California Assemblyman Al Muratsuchi (D-66th District) introduced the bill, which was also sponsored by Attorney General Kamala Harris—who’s been pushing for privacy protections and consumer privacy enforcement actions. The bill does not prohibit tracking but “does require websites to choose sides to either honor or ignore Do-Not-Track browser signals,” the report states. [AdWeek]

Other Jurisdictions

AU – OAIC Releases Draft Guidelines

The Office of the Australian Information Commissioner (OAIC) has released the draft Australian Privacy Principle (APP) guidelines for public feedback. The guidelines outline how the OAIC will interpret and apply the APPs, which go into effect in March of next year, the report states. Australian Privacy Commissioner Timothy Pilgrim said the new laws require government agencies and private-sector organisations to be more open and transparent on data handling. “This will give people a better understanding of how their information will be handled so that they can make an informed decision about interacting with the entities covered by the Privacy Act,” he said. [Computerworld]

AU – Long Delays Before Privacy Complaints Assessed

Australia’s federal Privacy Commissioner has blamed the federal government for long delays in assessing breach-of-privacy and freedom-of-information complaints. Complaints about privacy are not being allocated to case officers until just over five months after submission, taking about 19 weeks longer than the usual four-week period. Separately, freedom-of-information matters (complaints and requests for reviews) are not being allocated to officers for up to seven months. Privacy Commissioner Timothy Pilgrim said that while overall privacy complaints increased by 10% during the previous financial year, “staffing levels have decreased in line with the need to meet efficiency dividends imposed by government”. The combination of an increase in complaints and fewer staff was the reason for the backlog, he said. [Source]

SA – National Assembly Passes POPI

Eversheds’ Paula Barrett and Penelope Jarvis examine South Africa’s Protection of Personal Information Bill (POPI), passed by the South African National Assembly this month. “All that stands in the way of POPI becoming law is its translation into Afrikaans and the signature of South African President Jacob Zuma,” they write. Barrett and Jarvis examine the history of the legislation and detail what you need to know about POPI, including the conditions that must be met to process personal data legally and information on compliance and enforcement. [Full Story] and [South Africa: New privacy law will have ‘significant impact’ on businesses]

Privacy (US)

US – FTC Reaches First “Internet of Things” Settlement

TRENDnet, a maker of Internet-connected home video cameras, has agreed to settle with the FTC over charges “that its lax security practices exposed the private lives of hundreds of consumers to public viewing on the Internet,” an FTC press release states, adding, “This is the agency’s first action against a marketer of an everyday product with interconnectivity to the Internet and other mobile devices—commonly referred to as the ‘Internet of Things’ (IoT).” The FTC alleges the business failed to use “reasonable security to design and test its software, including a setting for the cameras’ password requirement.” Under terms in the settlement, TRENDnet must not misrepresent the security of its products and must create a comprehensive information security program and undergo a biannual third-party audit for the next 20 years. The FTC will host a roundtable in November exploring the privacy issues surrounding the IoT. [Full Story] See also: [US: Marketer of Internet-Connected Home Security Video Cameras Settles FTC Charges It Failed to Protect Consumers’ Privacy]

US – FTC Investigating Facebook Policy Changes

The FTC has initiated an investigation of Facebook’s recently altered privacy policy to assess whether it violated a 2011 consent order with the agency. Under the 2011 agreement, Facebook must gain explicit consent from users prior to exposing their information to new audiences. An FTC spokesman said, “Facebook never sought out a discussion with us beforehand about these proposed changes.” A Facebook spokeswoman said, “We routinely discuss policy updates with the FTC, and this time is no different,” adding, “Our updated policies do not grant Facebook any additional rights to use consumer information in advertising … the new polices further clarify and explain our existing practices.” Sen. Ed Markey (D-MA) has sent a letter to the FTC raising concerns about the changes. [The New York Times]

US – Court Rules Nonpublic Facebook Posts Protected by SCA

The U.S. District Court in New Jersey has ruled that nonpublic Facebook posts are protected under the Stored Communications Act (SCA). The case involved a hospital worker who posted to her page a negative comment, which could only be seen by her Facebook friends, about paramedics’ handling of a situation. A Facebook friend then took a screen shot of the post and shared it with hospital management—none of whom had access to the post through Facebook. The employee was suspended and issued a memo saying she had deliberately disregarded patient safety; she then sued on the grounds of SCA violations, among others. The court interpreted the 1986-era language and determined the post is protected under SCA, as it is an electronic communication “transmitted via an electronic communication service” that was in storage and not public. [Hunton & Williams’ Privacy and Information Security Law Blog]

US – Microsoft Funds Tech Policy Lab

Microsoft is donating $1.7 million to the University of Washington to found a Tech Policy Lab that will study and test new technologies in order to shape national policies in areas including consumer privacy, security, censorship, public records and wearable devices. Meanwhile, nine out of 10 statisticians believe consumers should worry about privacy issues related to the data being collected about them, and an article in the MIT Technology Review asserts that computer scientists at the National Security Agency are in breach of their own profession’s code of conduct—a list of 16 moral imperatives including “be honest and trustworthy” and “respect the privacy of others.” [GeekWire]

US – Microsoft Says Suit Isn’t Suitable Class-Action

Microsoft says a lawsuit against it seeking class certification should be denied such a designation because “little is ‘common’ among the tens of thousands of proposed class members.” The suit alleges Microsoft violated California’s Song-Beverly Act by asking in-state consumers for personal information without informing them such disclosures weren’t required for credit card purchases to be completed. The August 30 request for class certification says Microsoft’s training and policy documents do not instruct employees to inform customers that personal information disclosures are voluntary. Microsoft says each customer’s experience is varied and some class members knew providing data was voluntary. [Source]

US – LinkedIn Defends Data Practice, Seeks Class Dismissal

LinkedIn is seeking a dismissal of a suit that claims the company was deceptive with its data security and privacy statements. LinkedIn has stated its privacy policy is the same for both its baseline and premium subscriptions and that the plaintiff’s claim is unjustified. “So there is no question that what members are paying for in upgrading to premium services is the enhanced premium tools and capabilities—not LinkedIn’s promise in its privacy policy to secure personal information with ‘industry standards and technology,’” the claim states, while also citing document showing the plaintiff purchased the subscription before privacy statements were included on the transaction page. According to LinkedIn, “Plaintiff’s arguments ignore that the allegedly deceptive statement was not made in advertising or in other materials that can be reasonably understood to be aimed at inducing members to purchase premium subscriptions.” [Main Justice]

US – FTC Seeks Comment on Verifiable Consent Method

The FTC is seeking public comment on a proposed verifiable consent method submitted by Imperium, according to an agency press release. Under a provision within the new Children’s Online Privacy Protection Act Rule, organizations may submit new verifiable consent methods for FTC approval. In addition to seeking comment, the FTC examines whether the method is already covered by existing methods and whether it will ensure the individual providing consent is the actual parent. The comment period will be open until October 9. Full Story

US – America’s Most Privacy Friendly Companies

Forbes reports on the “most privacy-friendly companies” according to privacy experts. Lee Tien of the Electronic Frontier Foundation cites Microsoft, Google, Tumblr and Facebook, while Chris Hoofnagle of Berkeley’s Center for Law & Technology cites B2B services “such as Salesforce, which explicitly says that the data you load into their service is yours, that you can encrypt it and that they will never sell it.” Boston attorney Sarah Downey says Twitter’s “Do-Not-Track” policy puts it at the top, and a number of experts cited companies such as DuckDuckGo, which doesn’t track users’ searches. [Forbes]

US – Court Reverses Heartland Negligence-Claim Ruling; Case Proceeds

Following the 2008 data breach at Heartland Payment Systems, several banks that had issued credit cards to customers affected by the breach alleged they incurred significant costs by replacing the cards of impacted customers and refunding fraudulent charges, writes attorney Stephen Shapiro. While a trial court dismissed the negligence claim, citing New Jersey’s economic loss doctrine, a Fifth Circuit Court has reversed the ruling, allowing the case to proceed. Editor’s Note: More on the possible implications of this case here. [Mondaq]

Privacy Enhancing Technologies (PETs)

WW – New Apps Give Posts a Shelf Life

A proliferation of mobile apps allows users to control who sees their content on social media sites—and for how long. Secret.li, for example, allows iPhone users to post a photo to Facebook knowing it will be automatically deleted either an hour, a day or a week after it’s posted and giving them control over with whom it will be shared. Another app, Spirit, allows users to hashtag tweets so they will auto-delete after a time period of the users’ discretion. “With the ongoing privacy scares, people are thinking about what they put out there now and looking for ways to have more control,” said Spirit’s developer. [Reuters] [Apps make self-destructing posts for Facebook and Twitter with privacy on mind] SEE ALSO: [AUS: A Gift Shop Devoted Entirely To Privacy-Protecting Stealth Gear]

RFID

US – E-Z Pass Tracked for Secondary Purposes in New York City

A recent report by Forbes’ Kashmir Hill revealed how an E-Z Pass is not only tracked by toll booths but also by a New York City traffic management initiative. The news highlights both the benefits of Big Data use and the privacy concerns about secondary use, ubiquitous data collection, anonymization and other topics covered at last week’s Future of Privacy Forum and Stanford Law School event on Big Data and privacy. This Privacy Perspectives installment delves into some of the major takeaways from the event and what these paradigms could mean for businesses and consumers moving forward. [Forbes]

US – New Jersey School Employing RFID for Students and Staff

The Belleville Public School District is using RFID to track students and faculty in the school and on buses as part of a security effort aimed at preventing a tragedy such as that in Newtown, CT, last year. According to the report, the badges will come equipped with buttons to alert authorities to an emergency and will typically be set to “beacon” their ID numbers every 28 seconds to be captured by one of the 190 RFID readers in the school or installed on each of its 21 buses. The system may also be used to eliminate attendance-taking in class or “identify if the same individuals were repeatedly visiting the bathrooms simultaneously, possibly suggesting a drug-use or fighting issue.” Schools in Texas and New York are considering similar systems. [RFID Journal]

US – School District Aims to Stop Bullying by Watching Kids’ Social Media Use

A Southern California school district is trying to stop cyberbullying and a host of other teenage ills by monitoring the public posts students make on social media outlets in a program that has stirred debate about what privacy rights teenage students have when they fire up their smartphones. Glendale Unified School District hired Geo Listening last year to track posts by its 14,000 or so middle and high school students. The district approached the Hermosa Beach-based company in hopes of curtailing online bullying, drug use and other problems after two area teenagers committed suicide last year. The company expects to be monitoring about 3,000 schools worldwide by the end of the year, said its founder. [Source]

Security

US – Hackers Find Ways to Hijack Car Computers and Take Control

In recent demonstrations, hackers have shown they can slam a car’s brakes at freeway speeds, jerk the steering wheel and even shut down the engine — all from their laptop computers. The hackers are publicizing their work to reveal vulnerabilities present in a growing number of car computers. All cars and trucks contain anywhere from 20 to 70 computers. They control everything from the brakes to acceleration to the windows, and are connected to an internal network. A few hackers have recently managed to find their way into these intricate networks. [Source]

WW – Warning Over Security of Baby Monitors

Security flaws in common baby monitors allowed hackers to break into the devices “easily” – and watch silently through hundreds of cameras. The faulty software allowed anyone with the right internet address to freely access the “feed” from Trendnet cameras – and has prompted an investigation by America’s FTC into the safety of “connected” devices. After 700 cameras were accessed, Trendnet has agreed to a 20-year security audit of its devices – and the FTC is to investigate the security of other “connected” devices in November this year. Security researchers have already shown that it is possible to access, for instance, the webcam in a web-connected television – prompting Samsung to issue a warning saying that families could consider covering the cameras when not in use. [Source] SEE ALSO: [TV makers aim to track what you watch] AND [SWE: ‘Lifelogging’ camera shrugs off privacy to seize the moment]

Surveillance

WW – NSA Reactions Abound in U.S., Canada, Brazil

The fallout from Edward Snowden’s U.S. National Security Agency (NSA) revelations is showing no sign of letting up. In the U.S., Sen. Edward J. Markey (D-MA) is asking for details from major cellphone carriers on how many government data requests they receive and how they respond. In Brazil, President Dilma Rousseff is asking legislators to support a bill requiring foreign companies to store data about their Brazilian clients on servers in that country in the wake of the NSA reports. And in Canada, Communications Security Establishment Canada “handed over control of an international encryption standard to the NSA, allowing the agency to build a ‘backdoor’ to decrypt data,” reports indicate. Ontario Information and Privacy Commissioner Ann Cavoukian has introduced a policy aimed at allowing privacy and counterterrorism surveillance to coexist in harmony, while a What’sYourTech report suggests almost half of Canadians “think it’s OK for the government to monitor our e-mail and other online activities.” [New York Times]

US – NSA Shares Raw Data with Foreign Intelligence Agencies

The U.S. National Security Agency (NSA) continues to make headlines, most recently with a report that the NSA “routinely shares raw intelligence data with Israel without first sifting it to remove information about U.S. citizens,” The Guardian reports. Citing a document released by Edward Snowden, the report describes an intelligence-sharing deal between the NSA and its Israeli counterpart. Meanwhile, Yahoo CEO Marissa Mayer and Facebook’s Mark Zuckerberg are hitting back at critics of tech companies, saying U.S. government did a “bad job” of balancing people’s privacy and duty to protect. Tech executives did not tell the public about the NSA surveillance because, Mayer said, “Releasing classified information is treason” and would mean incarceration. [Source] [Source]

IN – Investigation: Gov’t Monitoring 160M Internet Users

An investigation into the upcoming launch of India’s Central Monitoring System (CMS) found “the Internet activities of India’s roughly 160 million users are already being subjected to wide-ranging surveillance and monitoring, much of which is in violation of the government’s own rules and notifications for ensuring ‘privacy of communications.’” The CMS plan has prompted privacy concerns in recent months, but The Hindu’s investigation found the government already has monitoring systems “deployed by the Centre for Development of Telematics for monitoring Internet traffic, e-mails, web-browsing, Skype and any other Internet activity of Indian users.” [The Hindu] [Source]

US – University to Install 2,000 Surveillance Cameras; ACLU Doesn’t Like It

The University of Kentucky is planning to install 2,000 surveillance cameras on campus. The plan has the American Civil Liberties Union (ACLU) concerned about such monitoring. “You’re capturing a lot of information about people who are completely innocent,” said ACLU of Kentucky’s Amber Duke. “That’s a lot of information that could be misused.” [The Huffington Post] SEE ALSO: [Made-in-B.C. web tool offers rare glimpse into world’s most remote, private areas]

Telecom / TV

CA – Wireless Firms Let Ottawa Monitor Devices, Data for Licence to Use Spectrum

When wireless companies apply this week to bid on newly available public airwaves, they will also be committing – again – to an unpublicized accord that governs how they will help police and intelligence agencies monitor suspects. For nearly two decades, Ottawa officials have told telecommunications companies that one of the conditions of obtaining a licence to use wireless spectrum is to provide government with the capability to monitor the devices that use the spectrum. The Sept. 17 kickoff of the auction-countdown process will underscore that commitment, made out of sight of most Canadians because it is deemed too sensitive by the government. Documents show that court-approved surveillance in Canada is governed by 23 specific technical surveillance standards known as the Solicitor General’s Enforcement Standards (SGES). Any firm taking part in a wireless auction can obtain a copy, but the contents are not available to the general public. But The Globe and Mail has obtained past and current versions of the accord, which governs the way that mobile-phone companies help police pursue suspects by monitoring telecommunications – including eavesdropping, reading SMS texts, pinpointing users’ whereabouts, and even unscrambling some encrypted communications. Wireless carriers are told they must be ready to hand over such data should police or intelligence agencies compel the release of the information through judicially authorized warrants. Such information goes well beyond traditional wiretaps, and also includes phone logs and keystrokes. Police and intelligence officials say the surveillance is crucial, given that it can help them gather evidence, make arrests and locate missing persons. [Source]

US – NSA Targets Internet Routers and Switches

According to information in documents leaked by Edward Snowden, while the NSA will target individual personal computers when necessary, the agency concentrates its efforts on Internet routers and switches. Routers are attractive targets because “people are … horrible about updating their network gear because it is too critical, and usually they don’t have redundancy to be able to do it properly,” according to Beyond Trust CTO Marc Maiffret. [WIRED]

US Government Programs

US – Authorities Use Border Crossings to Seize Devices

Newly released documents reveal how U.S. authorities use border crossings to seize travelers’ electronic devices without acquiring warrants to access the data. The “largely secretive process” allows the government to set up a travel alert for an individual—even if the person is not a suspect of an investigation—and then detain, seize or copy files stored on electronic devices. As part of a settlement reached with the Department of Homeland Security, the documents were disclosed to David House, a former fundraiser for the legal defense of Chelsea Manning. “I think it’s important for business travelers and people who consider themselves politically inclined to know what dangers they now face in a country where they have no real guarantee of privacy at the border,” House said. [The New York Times]

US – Govt Using Border Searches to Circumvent Fourth Amendment Protections

Documents recently released regarding the seizure of a laptop and other electronic media devices by border US agents suggest that the US Department of Homeland Security (DHS) may be using “travel alerts” to get a look at data for which they would not otherwise be granted a warrant. The documents relate to the case of David House, a Massachusetts man who had befriended Bradley Manning, now known as Chelsea Manning. Federal officials wondered whether House knew anything about a batch of documents that Manning had shared with WikiLeaks but which had not yet been published. House was placed on a “travel list,” and when he returned from a vacation in Mexico in 2010, federal agents seized his laptop, camera, flash drive and cell phone. The laptop was held for seven weeks, and a year after the incident, US agents said that House had done nothing wrong and they promised to destroy all copies of data made from his devices. The federal records were surrendered after a two-year battle with the ACLU, which sued the government on House’s behalf. The ACLU maintains that “the settlement documents demonstrate that the seizure of House’s computer was unrelated to border security or customs enforcement. It was simply an opportunity to conduct a suspicionless search that no court would ever have approved inside the country.” [ZDNet] [NBCNews] [AtlanticWire]

US Legislation

US – DEA Works With Telecom to Use Data Trove

The New York Times reports on the Hemisphere Project, a partnership between federal and local drug officials and AT&T. For at least six years, according to slides provided to the Times, law enforcement officials working on counter-narcotics operations with administrative subpoenas have had access to “an enormous AT&T database” containing decades of Americans’ phone calls. The government allegedly pays the telecommunications provider to place employees in drug-fighting units. The employees work with Drug Enforcement Agency officials and local detectives to provide phone data, often including location data, going back to 1987. The data—up to 4 billion phone records a day—is stored by AT&T and not the government. “Is this a massive change in the way the government operates?” queried a Columbia law professor. “No. Actually you could say that it’s a desperate effort by the government to catch up.” Meanwhile, in an op-ed, Ginger McCall, founder of Advocates for Accountable Democracy, writes about the future of technological surveillance, noting, “we are doing far too little to prepare ourselves.” [Full Story]

US – CA Senate Passes Breach Notification Amendment

California’s Senate has passed an amendment to its breach notification law that would expand the notification requirement to incidents involving personal information that would allow access to online accounts. SB 46 redefines personal information to include “a user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account.” The bill also allows organizations to deliver notifications in electronic form but prohibits them from using an e-mail address that may have been compromised due to the breach. The future of SB 46 hinges on the passing of Assembly Bill 1149 as well; both must be passed and enacted prior to the start of 2014 in order to become law. [Hunton & Williams’ Privacy and Information Security Law Blog]

US – Do-Not-Track Disclosure Bill Would Have Broad Impact: Opinion

While California’s Do-Not-Track Disclosure bill (AB 370) has been sent to the governor, it has not yet been signed. The bill would amend the California Business & Professions Code (CalOPPA) to require commercial websites and services that collect personal data to disclose how they respond to Do-Not-Track signals as well as disclose whether third parties may collect personally identifiable information. “If AB 370 becomes law, it will have impact beyond California—CalOPPA purports to apply to any website that collects information from California residents,” Forsheit writes. [Information Law Group]

US – Lawmaker, HIPAA Provision Raise Gun Privacy Questions

A Maryland legislator is asking Attorney General Douglas F. Gansler about the legality of viewing confidential information on potential gun-buyers. Delegate Kevin Kelly (D-District 1B) has sent the AG’s office a letter seeking details on “whether it was legal for state police to allow up to 200 state employees from five agencies to view confidential information about prospective gun buyers,” the report states. Meanwhile, the Office for Civil Rights has sent the Office of Management and Budget a proposal “to lift legal barriers related to the HIPAA privacy rule that may prevent states from reporting mental health information to the National Instant Criminal Background Check,” HealthData Management reports. [The Washington Times]

US – Illinois Gov. Signs Student HIV Privacy Law

Illinois Governor Pat Quinn signed into law a bill to protect the privacy of students with HIV. The law, introduced by state Rep. La Shawn Ford (D-Chicago) means that the state Department of Public Health and local health departments are no longer required to notify school principals of a student’s positive HIV status. Ford has been trying to get this bill passed since 2008, noting that it is “not only important for the privacy and confidentiality for students, but is also important for public health.” [Austin Weekly News]

US – New Jersey 12th State to Pass Workplace Social Media Law

New Jersey Gov. Chris Christie has signed A2878, a law restricting employer access to the social media accounts of employees and perspective employees, making the state the 12th to pass such a law. According to a the terms provide exceptions for certain law enforcement-related agencies and allow for employers to implement and enforce policies on company-issued devices accounts or services; conduct investigations, and comply with requirements of the law. Employers who violate the law may face civil penalties of as much as $1,000 for the first violation and $2,500 for each subsequent violation. [Mondaq]

US – One-Hour Breach Reporting Provision Scrapped

A proposal that would require state health insurance exchanges to report data breaches to federal regulators within an hour of their discovery has been dropped from the final regulation. Instead the Department of Health and Human Services (HHS) will rely on the “strict” breach reporting provisions included in the HHS final rule, to be published in the Federal Register, slated to take effect by October 1. [GovInfoSecurity]

US – California to Require Do-Not-Track Disclosures

The California Senate and Assembly passed an amendment to the California Online Privacy Protection Act, which the governor is expected to sign, that will require commercial websites and services that collect personal data to disclose how they respond to Do-Not-Track signals. California Assemblyman Al Muratsuchi (D-66th District) introduced the bill, which was also sponsored by Attorney General Kamala Harris—who’s been pushing for privacy protections and consumer privacy enforcement actions. The bill does not prohibit tracking but “does require websites to choose sides to either honor or ignore Do-Not-Track browser signals,” the report states. [Adweek]

US – California Suspends RFID Legislation

In the wake of concerns from privacy groups, California legislators have suspended SB 397, which would have allowed RFID chips to be embedded into driver’s licenses and state identification cards. California’s Assembly Appropriations Committee put the legislation on hold “despite it having been approved by the California Senate, where it likely will be reintroduced in the coming months,” the report states, noting, “Had the measure passed, it would have transformed the Sunshine State’s standard form of ID into one of the most sophisticated identification documents in the country, mirroring the four other states that have embraced the spy-friendly technology.” [WIRED]

US – Reps. Call for Delay of Death Master File

Reps. Sam Johnson (R-TX) and Xavier Becerra (D-CA) have introduced HR 2720, which would delay the publication of the Social Security Administration’s Death Master File. According to Allen American Star, if the bill passes, only death information released three years after a person’s death would be made available. The bill is an effort to combat the use of deceased individuals’ information for identity theft.

US – Minnesota Agencies See Spate of Data-Access Lawsuits

Five lawsuits have been filed against officials from the Minnesota Department of Natural Resources (DNR) and Department of Public Safety claiming one DNR official inappropriately accessed the information of 5,000-plus citizens. The employee has been fired and criminally charged in a separate case, but the officials say they are not liable for the man’s violations. Main Justice reports the defendants claim that under the Driver’s Privacy Protection Act there are protections for government agencies intending to shield agency officials from being responsible for violations by others who have access to the database. While the defendants are distancing themselves from the man’s actions, they argue that the act allows states to make driver’s license data available to law enforcement and other agencies and does not impose data access or monitoring rules on states. The former wife of a Duluth police officer has also filed a suit, claiming inappropriate access of her driver’s license data by the Duluth Police Department, St. Louis Country Sherriff’s Office and others. In both situations, plaintiffs claim the driver’s license database offers access to more sensitive information, namely health data and Social Security numbers, but the DNR defendants’ filing rejects these claims, citing an audit of law enforcement use of state databases.

US – States Taking Lead in E-mail, Location Privacy

After delays in congressional efforts to update the Electronic Communications Privacy Act (ECPA), some states are taking matters into their own hands. Texas and Montana have both passed e-mail privacy laws—and Montana went a step further, becoming the first in the nation to pass location-tracking legislation. Maine passed a law requiring a warrant for police to access text messages, and Massachusetts lawmakers are considering an e-mail and geolocation privacy bill for mobile device data. New York and Florida have also announced plans to tackle this issue in their next session. But, as the report states, “state-level laws cover only state-level authorities and can’t compel federal investigators. For that, there must be congressional action.” [The Washington Post]

US – Oregon State Bill Would Track Drivers’ Mileage

Oregon lawmakers have approved a bill that would tax drivers not on the amount of gas their cars burn but on the number of miles driven. The program, which would commence in 2015 with volunteers, would use technology to track drivers’ mileage, but that has raised concerns about government surveillance of driving habits. In response to such concerns, the legislation limits who can see the information reported by tracking devices and requires the state and private entities tracking the data to destroy location information from participating drivers within 30 days of using it for billing, Stateline reports. Full Story

US – Long Shot Bill Would Prohibit NSA from Putting Backdoors in Encryption

A US legislator has introduced a bill that would prohibit the NSA from introducing backdoors into encryption. The bill was originally introduced in July, but has received renewed attention following recent revelations about the NSA’s snooping activities. It seeks to repeal the Patriot Act and the FISA Amendments Act of 2008. As currently written, the bill stands virtually no chance of passing out of committee, let alone reaching the floor. [Ars Technica]

Workplace Privacy

US – University Staff Object to Health Plan

Pennsylvania State University’s introduction of “Take Care of Your Health,” a wellness plan has sparked staff protests and allegations it “is coercive, punitive and invades university employees’ privacy.” Under the plan, nonunion employees must “visit their doctors for a checkup, undergo several biometric tests and submit to an extensive online health risk questionnaire that asks, among other questions, whether they have recently had problems with a co-worker, a supervisor or a divorce,” the report states. Those who do not participate face a $1,200 pay deduction annually. “You can’t force people to disclose the state of their marriage or fine them $100 a month,” one professor said. [The New York Times]

+++

16-31 August 2013

Biometrics

US – New Report Shows Ohio Police Secretly Use Facial Recognition Technology

Local law enforcement agencies have started to implement facial recognition technology that could transform police departments across the country. This week, Chrissie Thompson, state capital reporter for The Cincinnati Enquirer, revealed that Ohio’s Bureau of Criminal Investigation has used facial recognition technology to match drivers license photos and surveillance footage for months—without telling the public. The program launched June 6 of this year, and Ohio Attorney General Mike DeWine learned of it two weeks later. Ohio is just one of 26 states that have implemented facial recognition technology. Reporter Chrissie Thompson discusses her investigation, and Attorney General DeWine defends the law enforcement’s use of this technology. [Source]

US – Facial Scanning Is Making Gains in Surveillance

The federal government is making progress on developing a surveillance system that would pair computers with video cameras to scan crowds and automatically identify people by their faces, according to newly disclosed documents and interviews with researchers working on the project. The Department of Homeland Security tested a crowd-scanning project called the Biometric Optical Surveillance System — or BOSS — last fall after two years of government-financed development. Although the system is not ready for use, researchers say they are making significant advances. That alarms privacy advocates, who say that now is the time for the government to establish oversight rules and limits on how it will someday be used. [New York Times]

WW – Google Glass App Being Designed to Read Emotions

Catalin Voss, an entrepreneur and Stanford student from Germany, is working on emotion-recognition tools that could improve education and training by monitoring engagement. The company, Sension,  is among a handful of businesses making strides in emotion-recognition technology. The tools can analyze facial expressions and vocal patterns for signs of specific emotions: Happiness, sadness, anger, frustration and more. There’s a broad array of potential applications, including potentially creepy commercial ones. But the broader goal is to make machines communicate with humans in more natural ways. In that sense, it can be seen as the latest step in the long history of human-computer interaction, a layer on top of motion sensors like Microsoft’s Kinect controller or voice-recognition services like Google Now and Siri. The machines can understand more than the defined meaning of words or gestures, putting them into the context of the feelings with which they’re expressed. Voss stresses that they’re building privacy protections into their apps: They don’t upload facial images, store anything on the phone or attempt to identify individuals through facial recognition (which is banned by Google for Glass). He added that the team has no interest in pursuing any marketing applications of emotion recognition. [Source]

WW – Pay-Per-Gaze Tracking Patent Revealed

Earlier this month, the U.S. Patent and Trademark Office published a gaze-tracking system proposed by Google to monitor the pupils of a user wearing a head-mounted device, such as Google Glass. Connected to a server, the tracking system could infer emotion by detecting pupil dilation and eye movement and could potentially offer “a mechanism to track and bill offline advertisements in the manner similar to popular online advertisement schemes,” the patent states. In other words, the system could charge advertisers when opted-in users gaze at a given billboard, magazine, newspaper or other media. Additionally, the patent specifies that “personal identifying data may be removed from the data and provided to the advertisers as anonymous analytics.” A report by The New York Times delves into ubiquitous data collection , specifically data collected from wearable devices where “Records of voices and events will be a permanent part of the Internet the way text is already, held forever and searched, mined and inspected.” [Fast Company]

Canada

CA – Survey: 60% Would Surrender Online Privacy to “Foil Terrorist Plots”

Only a small sliver of Canadians are concerned with keeping their data private, especially in the name of safety and anti-terrorism efforts, according to a survey released by the Canadian Internet Registration Authority (CIRA). About half of Canadians said it was “completely unacceptable” for governments to monitor citizens’ email and online activities, showing a pretty clear split between Canadians as to whether privacy is a priority. Yet that number shifted significantly when pollsters asked respondents if the Canadian government could monitor everyone’s email and other online activities, if officials said that might prevent future terrorist attacks. About 77% of Canadians polled, or three in four, said that would be “completely acceptable,” or “acceptable in some circumstances,” with about six out of 10 saying they would “be willing to give up their Internet privacy if it would help the government foil terrorist plots.” [CIRA Survey] [Source]

Consumer

WW – Teens Turn to Friends for Advice on Settings Management

A new report from the Berkman Center for Internet and Society at Harvard University indicates that while teens generally figure out how to manage their online privacy themselves, 70% report they have sought advice from someone else. The people they turn to are generally friends, parents or other close family members. The report is based on a survey that polled 802 parents and their children ages 12 to 17 as well as focus group interviews with 156 participants. [Source]

US – IAPP/PLSC Award-Winning Papers Posted

Earlier this month, The Privacy Advisor spoke with the authors of the award-winning papers from the Privacy Law Scholars Conference: Ryan Calo and Daniel Solove and Woodrow Hartzog. Now, both papers have been posted to the Social Science Research Network and you can read the current drafts. Find Solove and Hartzog’s “The FTC and the New Common Law of Privacy.” Find Calo’s “Digital Market Manipulation“ here. Geekwire talks with Calo as well about his paper and its implications for the current Internet marketplace. [Geekwire]

US – Prescription Rewards Program Raises Concern

A new prescription-drug rewards program gives store credit to opted-in customers for other nonprescription products. In February, CVS announced it was expanding its ExtraCare Pharmacy & Health Rewards program to include prescription drug purchases. According to the website, “each person must sign a HIPAA Authorization to join.” A representative from Privacy Rights Clearinghouse expressed concern, saying, “Pharmaceutical companies obviously would want to know what you’re taking and get you to buy more expensive medicines.” A CVS representative said, “We have extensive procedures, stringent policies and state-of-the-art technology in place to protect our customers’ personal and health information,” adding, “We do not sell, rent or give personal information to any nonaffiliated third parties.” [Los Angeles Times]

WW – Researchers Earn Grant to Study Privacy Notices

The National Science Foundation (NSF) has announced it is investing $20 million in grants to more than a dozen universities to help tackle the “fundamental challenges” to the nation’s cybersecurity. One group of recipients, including researchers from Carnegie Mellon, Fordham and Stanford, aim to work on a multidisciplinary approach to create effective web privacy notices. The project’s lead investigator said, “If you read privacy notices, you quickly realize that they contain a lot of boilerplate text and that people seem to often be recycling entire sentences and even larger text fragments from one another,” adding, “This project will aim to exploit these types of patterns.” An NSF representative said its “investments in foundational research will transform our capacity to secure personal privacy, financial assets and national interests.” [National Science Foundation]

E-Government

UK – Councils Sell Off Voter Information

More than 300 local authorities sold people’s names and addresses to more than 2,700 companies and individuals over five years, privacy campaigners have revealed. According to Freedom of Information Act requests made by Big Brother Watch, councils sold the edited electoral register – made of up all those people who register to vote and do not opt-out of the edited version – to pizza shops, estate agents, lobbyists and driving schools among others. The group calls on the Government to abolish the edited register or allow councils to offer people a permanent opt-out instead of the current system that requires people to opt out annually. Some 307 local authorities sold the edited electoral register to more than 2,700 different companies and individuals between 2007 and 2012. Big Brother Watch director Nick Pickles said: “Registering to vote is a basic part of our democracy and should not be a back door for our names and addresses to be sold to anyone and everyone. [Source]

IN – Indian Government Considers Ban on Gmail for Official Use

In what appears to be a reaction to the alleged Internet snooping by U.S. government agencies on users of U.S. based email services, the Indian government is said to be planning a ban on the use of U.S. based email services for official government use. The ban will force government workers to use only official Indian government email servers for official use. Many workers, including some government ministers, use hosted email accounts as they are easier to use and have better features than official email systems. India’s IT minister, Kapil Sibal, said there is no evidence of the U.S. accessing any Internet data from India [Times of India] [ZDNet] [Economic Times]

CA – Toronto Agencies Still Ask for Immigration/Citizen Status

A survey finds it’s risky for undocumented people to seek help from a service agency; half will “ask” about their status, and nearly one in three will “tell.” Almost half of Toronto’s community agencies ask for clients’ immigration status, and 30% say they would share the information with police and immigration officials. Those statistics are from a new city-funded report, the first ever to survey community service agencies about their policies on serving “non-status residents” — a growing population of migrants who are in Canada without immigration status. More than one-third of the participating agencies said they did not know or were uncertain about their legal rights and obligations if approached by law or immigration enforcement inquiring about a client. Some 71% said they did not have a formal policy about serving this population.The 32-page report will be released this week, as Toronto City Council is reviewing its municipally funded services in a bid to ensure they’re available to all residents, “legal” or not. In February, Toronto was declared to be Canada’s first “sanctuary city” for migrants without status. [Source]

US – Illinois Tollway to Post Names of Scofflaws

Motorists who use the Illinois Tollway but refuse to pay tolls and fines may already have collection agents chasing them, but by the end of the week the names of the most egregious scofflaws could also be posted on the Tollway’s website. The list will name those who have racked up more than $1,000 in tolls and fines, officials said. Until now, the Tollway had been reluctant to publicize the names. But Gov. Pat Quinn on Tuesday signed legislation allowing the Tollway to do so, along with the amount of fines and unpaid tolls owed by each violator. The Tollway’s action follows similar public shamings by agencies in Texas and on the East Coast. Last year the Illinois Tollway estimated that deadbeats had racked up about $300 million in unpaid tolls and fines since 2001. The Tollway said it issues about 1.4 million first-violation notices every year. The agency collected more than $33 million in revenue from toll violations in 2011, according to a recent audit. [Source]

US – DOE Notifies Employees of Second Data Breach This Year

The US Department of Energy (DOE) is notifying 14,000 current and former employees that their personally identifiable information was compromised when someone gained unauthorized access to an agency human resources system. The specific information compromised was not disclosed. The incident, which occurred in late July, is the second reported data breach at DOE this year. In February, DOE notified a few hundred employees about a breach launched by “sophisticated attackers.” [SC Magazine] [DarkReading]

E-Mail

US – Groklaw Announces Shut Down Due to Decline of eMail Privacy

The website Groklaw has announced that it will shutter operations to avoid US government surveillance. Groklaw promises its sources anonymity, but the revelation of the surveillance practices mean that the site can no longer ensure anonymity. Groklaw founder Pamela Jones pointed to the recently revealed US intelligence practice of gathering email from outside the country and storing the data for years in the hope that technology will eventually allow those protected by encryption to be read. Over the last several weeks, two encrypted email services – Lavabit and Silent Circle — have shut down operations rather than face the likelihood of being served warrants demanding customer data. [The Register] [ComputerWorld] [BBC] [Ars Technica] [German government refutes Windows ‘backdoor’ claims]

US – Google Wants “Precedent-Setting” Case Dismissed

Google has asked for a case against it, concerning its alleged electronic scanning of Gmail users’ e-mails for the purpose of sending targeted ads, to be dismissed. In a San Jose, CA, court, Google said “all users of e-mail must necessarily expect that their e-mails will be subject to automated processing.” The suit was filed on behalf of 10 people and is expected to be certified as a class-action. It’s also predicted to be a “precedent-setting case for other e-mail providers,” the report states. [Full Story]

Electronic Records

US – Electronic Data Does Not Constitute ‘Tangible Property.’

Insurance company Liberty Mutual has filed a lawsuit against the supermarket chain Schnucks seeking release from liability in relation to a computer security breach Schnucks suffered earlier this year. Between December 2012 and March of this year 2.4 million credit and debit cards used at 79 of Schnucks’ stores were compromised. As a result eight lawsuits have been filed against Schnucks by customers whose cards were hacked. Liberty Mutual is refusing to meet those claims stating that its coverage only applies to property damage and bodily injury and that electronic data does not constitute ‘tangible property.’ [Fox] [SupermarketNews] [Softpedia] SEE ALSO: [Canada: Tracking device may cut car insurance]

Encryption

WW – Password-Cracking Just Got Smarter

Passwords just got a lot easier to crack. That’s because password-cracker “ocl-Hashcat-plus,” a freely available service for offline hashed password cracking, can now decode passwords with as many as 55 characters. The program previously could only crack passcodes with 15 characters or less, but Web users have increasingly used longer passcodes and phrases to protect their online data. “This was by far one of the most requested features,” said the program’s lead developer. The development means Hashcat users can now achieve as many as eight-billion guesses per second “on a virtually unlimited number of compromised hashes.” [Ars Technica]

EU Developments

EU – New EU Rule Requires Breach Notification Within 24 Hours

As of August 25, telecommunications operators and Internet service providers (ISPs) in the European Union (EU) must notify authorities within 24 hours of detecting a data security breach. While notification is already required, the mandatory 24-hour window is raising concerns because organizations will not have adequate time to conduct forensics. There is also movement toward broadening the scope of the requirement to include all industries. [SC Magazine] [v3.co.uk] [Infosecurity-magazine] [EU Data Breach Notification Rule: The Key Elements] See also: [Berlin Commissioner Talks Surveillance, Big Data and New Rules on Privacy] and also [New major incidents in 2012 report by EU cyber security agency ENISA]

EU – Breach Notification Schemes Prompt “Major Concern”

A draft opinion from the European Parliament’s Civil Liberties, Justice and Home Affairs Committee by Swedish MEP Carl Schlyter cites a “major concern” regarding two data breach notification schemes proposed under the draft Network and Information Security Directive and the planned General Data Protection Regulation. “A major concern that remains regards the relationship of the proposed system to the notification system proposed under the General Data Protection Regulation, and their effective coexistence, which is one of the reasons we highlight the fact that any EU cybersecurity legislation should follow the adoption of the General Data Protection Regulation, not precede it,” he writes. [Out-Law]

UK – Aberdeen City Council Fined GBP100,000 For Employee Data Breach

The United Kingdom’s Information Commissioner’s Office (ICO) has fined the Aberdeen City Council the sum of GBP100,000 (US$150,000) resulting from the leaking online of sensitive data relating to vulnerable children. The data was accessed on an employee’s home PC from where a file sharing program installed on the PC uploaded the information and shared it online. The information was first leaked on the 14th November 2011 and was detected by another member of staff on the 15th February 2012. Ken Macdonald, Assistant Commissioner for Scotland at the ICO, said “As more people take the opportunity to work from home, organisations must have adequate measures in place to make sure the personal information being accessed by home workers continues to be kept secure.” [ITPro] [v3.co.uk] [The Register]

UK – Google Says UK Privacy Law Doesn’t Apply

Google has told British consumers in a privacy claim that it doesn’t have to answer to UK courts and the country’s privacy laws don’t apply to the company. Google will fight UK Safari users’ right to bring a case in the country and will force the plaintiffs to instead file the suit in California. The plaintiffs are seeking damages, disclosure and an apology from Google for allegedly circumventing users’ security settings and tracking them on Apple’s Safari browser, the report states. [IDG News Service].

Facts & Stats

US – COPPA Changes Leading to “Plummeting” Ad Revenue

COPPA changes that went into effect July 1 are creating headaches for publishers of “mom and pop” websites who say their ad revenue is plummeting. Judy Miller, founder of Apples4TheTeacher, a resource for teachers that also attracts children. Said, “The law is so subjective for what is a kids’ site and what is a mixed site, it just has thrown me into a tailspin.” The Interactive Advertising Bureau’s (IAB) Mike Zaneis said, “Unfortunately, this was all too predictable, as the IAB warned for two years that the impact of the new COPPA rules would mean less revenue for child-directed sites and fewer free offerings for families.” [AdAge]

Finance

US – Facebook friends could change your credit score

A handful of tech startups are using social data to determine the risk of lending to people. That’s because financial lenders have discovered social connections are a good indicator of a person’s creditworthiness, the report states. Lenddo, for example, determines whether an individual is “Facebook friends” with someone who was late in paying back a loan. “It turns out humans are really good at knowing who is trustworthy and reliable in their community,” said the company’s CEO. “What’s new is that we’re now able to measure through massive computing power.” [CNN] [Source]

FOI

CA – Sunshine Summit: Who’s Defending Your Right to Know?

In celebration of the 10th annual Right to Know Week, the Privacy and Access Council of Canada (PACC) is presenting the Sunshine Summits to raise awareness and generate discussion about access rights and practices. Experts from government, industry and academia will join together at Sunshine Summits in Toronto (September 23), Calgary (September 25) and Victoria (September 27) to explore Who’s Defending Your Right to Know. [Further details and registration] See also: [US: Last of the secret Nixon tapes released; include meeting with USSR’s Brezhnev]

US – Additional Guidance for Open Data Project

The White House has released additional clarification and detailed requirements to help agencies achieve open data project objectives. An executive order in May affirmed the importance of the open data project, noting that open data are a boon to economic growth, innovation, and government efficiency. Agencies must submit open data progress reports by November 1, 2013. [NextGov] [Project Open Data Implementation Guide]

US – Bloomberg Releases Data and Privacy Practice Review

In response to revelations last May that Bloomberg News and some of its journalists were using terminals that had access to sensitive financial subscriber data, the organization conducted and has now released the results of a comprehensive external review of its data and privacy practices. Conducted by Hogan Lovells and Promontory Financial Group, the review examined Bloomberg news stories, employees, client data systems and other documents, to locate and address the company’s governance framework. This exclusive for The Privacy Advisor looks into some of the recommendations and how privacy pros can use this example within their organizations to bolster the need for strong data and privacy frameworks. [Source]

UK – FOI Reforms In Effect September 1

As of September 1, amendments to the Freedom of Information Act go into effect, meaning public bodies in the UK will be required to disclose datasets “in an electronic form which is capable of re-use” when requested, subject to it being “reasonably practicable” to do so. The ICO has issued guidance on the law and advised authorities to consult its code of practice on anonymising personal data before responding to FOI requests. [Out-Law.com]

Health / Medical

US – Privacy, Pharmacy Groups at Odds Over Refill Reminder Funding Rule

The World Privacy Forum — a privacy rights group — is challenging an effort by the Specialty Pharmacy Association of America (SPAARx) to convince HHS to change a privacy rule that would limit funding for prescription refill reminder programs. The battle between privacy advocates and the pharmaceutical industry highlights the debate over the use of data in patients’ health records without patient consent. [Source]

US – Study: Dearth of Laws May Delay Mobile Health Apps

A recent report by TrustLaw Connect, a pro bono legal initiative of the Thomson Reuters Foundation, has shown that most African countries have not implemented laws to protect patient data, delaying efforts to launch mobile healthcare (mHealth) applications. “The primary risk of not having explicit laws assuring patient confidentiality is that many people may avoid accessing necessary services,” says William Philbrick, of the mHealth Alliance, noting this is “particularly true when we are talking about HIV.” Esther Ogara, head of eHealth at Kenya’s health ministry, says while it’s important to make laws to safeguard patient data, “countries must continue to deploy mHealth tools to save lives while they formulate laws.” [SciDevNet]

UK – Medical Details to Be Sold For £1

THE medical records of millions of British patients are to be sold off for £1 each. Backing the plan: Health Secretary Jeremy Hunt. GPs will send the individual files to a central database from next month. Private firms such as Bupa can then apply to buy them for research. But doctors do not have to tell patients about the plan, which has been slammed by privacy campaigners. Phil Booth, of campaign group medConfidential, claimed NHS England plans to backdate it 20 years. Shami Chakrabarti warns over privacy protection “The more people who have access to sensitive data, the greater risk it will not be protected properly.” He said: “This is a wholesale rewriting of the deal between patient and doctor. “When people go to the GP, they go for medical treatment, they don’t expect commodification of their patient records.” [Source]

US – More Healthcare SMEs Eyeing Breach Insurance

In light of a growing number of healthcare breaches affecting small- and medium-sized organizations, many are looking at acquiring cyber insurance. A recent Experian/Ponemon Institute study found a growing trend of organizations across industry sectors looking toward such protection. Experian Data Breach Resolution Vice President Michael Bruemmer said specifically with healthcare, 32% of organizations polled already have insurance and an additional 41% are considering it. Bruemmer also said he has seen a shift toward smaller healthcare practices showing interest in cyber insurance coverage. [American Medical News]

Horror Stories

US – Regulators, State AG to Investigate Advocate Breach

Federal regulators and the Illinois Attorney General’s Office confirmed this week they will investigate Advocate Medical Group’s data breach. The breach was the second-largest loss of unsecured protected health information reported to the Department of Health and Human Services (DHHS) since its mandatory breach notification rule came into effect in September 2009, the report states. The July 15 breach affected more than four million patients seen by Advocate Medical Group from the early 1990s through July. Affected patients have begun receiving notification letters. DHHS investigates any breach affecting more than 500 people, but wouldn’t comment on the Advocate case citing the pending investigation. [Chicago Tribune] [Healthcare IT News: Second Largest HIPAA Breach Ever Affects Four Million] See also: [Ontario nurse fired after viewing 1,300 patient records]

US – Judge Dismisses Class-Action; Breaches Affect Business and School

A California federal judge has dismissed a proposed class-action accusing Symantec of concealing a data breach. Meanwhile, Sustainable a data breach at the Bonneville Power Administration has compromised the data of 3,100 employees. And the University of Mississippi has acknowledged that an employee mistakenly attached a spreadsheet containing nearly 2,300 students’ names, Social Security numbers, grade-point averages, races, genders and other details to a mass e-mail to students. [Law360]

US – Judge Approves $20M Facebook ‘Sponsored Stories’ Settlement

A federal judge has approved a class-action settlement that will require Facebook to pay $20 million for putting users in their “Sponsored Stories” advertising program without their permission. Originally, U.S. District Judge Richard Seeborg had said he had “serious concerns“ over the deal because it paid $10 million to charity but nothing to class members. The settlement now divides the $20 million among charities, the class-action attorneys and the 125 million U.S. Facebook users affected. [WIRED]

WW – Facebook to Compensate Users for Sharing Details on Ads

Approximately 614,000 Facebook users whose personal details appeared in ads on the site without their permission will each receive a $15 (£9.65) payout. The names and pictures of an estimated 150 million Facebook members were used in Sponsored Stories, but only those who responded to an email from the site earlier this year will be compensated. Privacy organisations will also receive some of the $20m (£12.9m) settlement. Facebook said it was “pleased” the settlement had been approved. The payout was approved by a US court following a class action filed against Facebook in 2011 by five of its users. The group said their details had been used to promote products and services through the site’s Sponsored Stories programme, without paying them or giving them the choice to opt-out. US District Judge Richard Seeborg acknowledged that the $15 payments were relatively small, but said it had not been established that Facebook had “undisputedly violated the law”. He added that the claimants could not prove they were “harmed in any meaningful way”. The court estimated that Facebook had made about $73m (£47m) in profit from the Sponsored Stories featuring details of the 150 million members. The settlement also requires Facebook to make changes to its “Statement of Rights” and to give users more information and control over how their details are used in the future. This move was estimated by the plaintiff’s lawyers to cost Facebook $145m in advertising revenue. Approximately 7,000 Facebook users opted out of the settlement altogether, allowing them to bring their own legal action against the social network. [Source]

US – Federal Reserve Employee Data Exposed

Law enforcement is working with the Federal Reserve to investigate a hacking incident that has resulted in the release of employee data online. Individuals claiming to be part of the hacktivist group Anonymous have claimed responsibility for posting online the “full details of every single employee at Federal Reserve Bank of America,” adding central banks have “systematically defrauded the planet.” The bank says the data was likely accessed more than six months ago, through a breach of its Emergency Communications Systems and includes names, phone numbers and e-mail addresses, among other information. [Bloomberg]

US – Citi Fined US$55,000 for Data Breach

The state of Connecticut has fined Citi US$55,000 as a result of a security flaw which led to a data breach exposing the personal details of 360,000 customers and the subsequent theft of US$ 2.7 million. The account details were accessed in May 2011 when a flaw in Citi’s Account Online Web-based service allowed criminals to log into the system, and by simply changing a few characters in the URL they were able to access other accounts. According to Connecticut’s Attorney General George Jepsen, Citi were aware of the vulnerability and that it could have existed for three years before the attack. Not only will Citi pay a fine of US$55,000, it has agreed to engage a third party to conduct a security audit of the Account Online system and will offer two years of free credit monitoring for any affected customers from the state. [Finextra] [Harford Business]

US – Northrup Grumman Data Breach

Employees of and applicants to Northrup Grumman’s linguist program have been notified that their personal data were compromised in a security breach. More than 70,000 people were affected. The incident: unauthorized database access sometime between November 2012 and May 2013. [SC Magazine]

Identity Issues

US – New Class-Action Sought Over UDIDs

A group of consumers seeking class-action status is alleging Apple’s pledge that it would restrict access to devices’ 40-character unique identifiers (UDIDs) “has thus far been ineffective and leaves class members’ personal information exposed.” The consumers, who had previously sued Apple after reports alleged developers could access iPhone and iPad UDIDs, have filed a motion asking U.S. District Court Judge Lucy Koh to grant them class-action status. While Apple does not define UDIDs as personal information, “the consumers argue that the identifiers become personally identifiable information when combined with other supposedly anonymous information, such as ZIP codes, occupation or area code,” the report states. [Media Post News] See also: [DMA Not A Supporter of “Reclaim Your Name” Campaign]

US – Texas Pastafarian Becomes First In U.S. to Wear Colander in License Photo

Trips to the DMV don’t typically elicit genuine smiles, but from beneath a metal pasta strainer, Texas Tech student and practicing Pastafarian Eddie Castillo flashed the “biggest, cheesiest” one he could muster last week. Castillo told KLBK that the triumphant moment came after a lengthy fight with the state’s Department of Public Safety that the unusual headgear was protected as part of his religious beliefs. Castillo is the first American to successfully have his government-issued photo identification taken while wearing a colander, though DPS officials are reportedly planning to follow up with Castillo in order to “rectify” the situation. Others have tried unsuccessfully, and Castillo told KLBK that he was surprised at his victory, which he called a “political and religious milestone for all atheists everywhere.” [Source] SEE ALSO: [Germany to add third gender option to birth certificates]

Internet / WWW

WW – NSA Surveillance Network Covers 75% of U.S. Web Traffic

The surveillance network set up by the National Security Agency (NSA) intercepts more U.S. Internet communications than has been publicly revealed. The system, allegedly designed to target foreign communications for intelligence purposes, has the ability to reach approximately 75% of all U.S. Internet activity—including, in some cases, the ability to retain written content of e-mails sent between Americans and domestic phone calls made via the web, the report states. One U.S. official, however, said the NSA is “not wallowing willy-nilly” though domestic communications, adding, “We want high-grade ore.” [The Wall Street Journal] [NBC News] [CNN] See also: [New Zealand has direct access to US surveillance]

WW – Project Loon Raises Concerns

The Atlantic explores Project Loon, Google’s plan for a “soaring, international balloon armada, beaming Internet to the parts of the world that don’t have it.” While the report acknowledges there is potential for humanitarian benefits in “bringing a connection to the farthest reaches of the developing world,” it also cautions, “If Google’s claims about the Loon balloons’ navigability are true, it is in fact an ‘unmanned aircraft,’ sometimes more pejoratively referred to as a drone,” with vast possibilities for data collection. And questions of jurisdiction abound, the report states, noting, “With its Project Loon, Google is venturing into not one but two vast open spaces—the law and the sky.” [Source]

WW – The Internet of Things: Baby Monitor Hacked

A Texas family heard noises coming from their toddler’s bedroom through their video baby monitor. A man was yelling obscenities at their child, and when the parents entered the room, he yelled obscenities at them as well. The family had taken security precautions, including enabling a firewall and establishing passwords for their router and the baby monitor camera, which connects to their Wi-Fi network. [BBC] [CNET] [NBCNews] SEE ALSO: [Webcam spying goes mainstream as Miss Teen USA describes hack]

Law Enforcement

BC – Police Tech Could Stop Crimes Before They Even Happen

Police technology is getting closer and closer to being able to stop crimes before they occur. The technology will draw from multiple data sets to predict that a specific crime will probably occur in a specific location at a specific time, he said, so police will know where to go before a crime has been committed. “We will actually be deploying police units preemptively to where crime isn’t happening, but where we’re predicting it might,” said Prox. Police cars are equipped with mobile terminals with touch screens for easy access to the data while on the go, so officers can make their own decisions on where they should be. The customized computer system from IBM has been used since 2007, and is making Vancouver’s police force leaders in North America, keeping pace with the likes of New York and Los Angeles. In addition to preventing crime, “big data” can also be used to solve cases traditional techniques couldn’t crack, said Prox. [Source]

CA – Calgary Planning to Put Cameras on More Police

Take a police-eye view of a driver getting a ticket via the body cameras that will soon be used by many more Calgary police officers after a pilot program was deemed a success. After testing body-worn cameras on a small group of officers for nine months, the Calgary Police Service has decided it wants to eventually equip all its uniformed officers with the devices. But police are still developing policies and guidelines about how the cameras will be used and what authorities will do with the recordings they capture — and privacy experts said it’s essential to address those questions before going much further. “One of the principles about privacy is openness and transparency. Their policies and practices should be readily available to the public,” said Kelly Ernst, senior program director at the Sheldon Chumir Foundation for Ethics in Leadership. “They probably shouldn’t be putting the cart before the horse.” [Source] See also: [US: Asiana crash photo leak prompts helmet cam ban]

Mobile

WW – Researchers Show Method of Sneaking Malicious Apps into Apple Store

Researchers have demonstrated a method of creating malicious apps that evade detection by Apple’s app review. The apps, dubbed Jekyll malware, use program paths that do not exist during the app review process. [NBC News] [Information Week]

US – Apple Updates App Store Guidelines per COPPA Revision

Following the legislative update to the Children’s Online Privacy Protection Act in July, Apple has updated its App Store Review Guidelines. The revised guidelines offer stronger privacy protections and limit the way apps can handle user information. They also contain a new provision on Kids Apps, which apply to children under the age of 13. That provision requires apps to have a privacy policy and be made for kids within the age ranges of five and under, six to eight or nine to 11. Kids Apps rules also forbid apps from serving ads through behavioral targeting. [Information Week]

HK – PCPD: “Do No Evil” App Invades Privacy

Hong Kong Privacy Commissioner for Personal Data (PCPD) Allan Chiang Yam-wang has “found mobile app Do No Evil had supplied sensitive personal data—including names of litigants, partial identity card numbers, addresses, claims amounts and company directors’ data—to users without voluntary consent.” The PCPD found the smartphone application, which allows members of the public to access a database of millions of litigation records “seriously invaded” privacy, the report states. “I must make clear that personal data obtained from the public domain is still subject to regulation of the [Personal Data (Privacy)] Ordinance, otherwise consequences will be dire,” the PCPD said. The PCPD’s actions are receiving criticism from a corporate governance activist. [South China Morning Post]

WW – Android Malware Spreading Through Mobile Ad Networks

Malware targeting Android devices has been found to be spreading through mobile advertisement networks. Many developers include advertising frameworks in their apps to help boost profits. Advertisements in mobile apps are served by code that is part of the app itself. An attack scheme in Asia involved a rogue ad network pushing code onto devices. When users download and install legitimate apps, the malware prompts users to approve its installation, appearing to be part of the process for the app they have just downloaded. [ComputerWorld]

US – Study: Teens Really Do Care About Privacy on Their Smartphones

More than half of teens who use mobile apps say they avoid downloading some of them because of concerns about personal information being shared with others, including location-based data. And a quarter of teens say they’ve even uninstalled apps once they learned the apps might be collecting “personal information that they didn’t wish to share.” The findings are from the Pew Internet Project’s new report, “Teens and Mobile Apps Privacy,” which says that 58% of all U.S. teens, ages 12 to 17, have downloaded apps to their phones or tablets. For teen girls, location information “is considered especially sensitive,” Pew said in its report. A majority of them “have disabled location-tracking features on cellphones and in apps because they are worried about others’ access to that information.” In its survey of 802 teens, ages 12 to 17, and their parents, Pew found:

  • 58% of all teens say they’ve downloaded apps to their phone or tablet.
  • 51% of app users say they’ve avoided certain apps because of privacy concerns.
  • 26% of app users say they’ve uninstalled an app after they found out it was collecting “personal information that they didn’t wish to share.”
  • 46% of app users say they have turned off location-tracking features on their phones or in an app “because they were worried about the privacy of their information.”
  • Girls are more likely than boys to disable location-tracking features, 59% to 37%.

However, this privacy concern isn’t totally cause for parents to celebrate. “Some of the people” teens might be concerned about being tracked by are — perhaps not surprisingly — “their own parents,” Pew noted. “As early as 2009, the Pew Internet Project found that about half of parents of teen cellphone owners said they used the phone to monitor their child’s location in some way.” [Source]

WW – ‘Boyfriend Tracker’ App Pulled Over Privacy Concerns

Brazilians were outraged when they learned their country was a top target of the U.S. National Security Agency’s overseas spying operation, with data from billions of calls and emails swept up in Washington’s top secret surveillance program. Yet when it comes to the cloak and dagger effort of catching philandering lovers, all high-tech weapons appear to be fair game — at least to the tens of thousands of Brazilians who downloaded “Boyfriend Tracker” to their smartphones before the stealthy software was removed from the Google Play app store last week, apparently in response to complaints about privacy abuses and its potential to be used for extortion or even stalking. The app, called “Rastreador de Namorados” (Portuguese for Boyfriend Tracker), promises to act like a “private detective in your partner’s pocket.” Functions include sending the person doing the tracking updates on their partner’s location and forwarding duplicates of text message traffic from the targeted phone. There is even a command that allows a user to force the target phone to silently call their own, like a pocket dial, so they can listen in on what the person is saying. [Source]

Offshore

SA – South African National Assembly Passes POPI

Eversheds’ Paula Barrett and Penelope Jarvis examine South Africa’s Protection of Personal Information Bill (POPI), passed by the South African National Assembly this month. “All that stands in the way of POPI becoming law is its translation into Afrikaans and the signature of South African President Jacob Zuma,” they write. Barrett and Jarvis examine the history of the legislation and detail what you need to know about POPI, including the conditions that must be met to process personal data legally and information on compliance and enforcement. [Privacy Tracker]

Online Privacy

WW – Facebook Changes Include Expanded Facial Recognition

Facebook has announced that it is “updating its privacy policies to clarify how the personal information of its more than one billion users” is collected and used—including at least one change: the expanded “use of facial recognition software to include profile pictures.” Some of the language is being included to comply with the recent $20 million settlement of a lawsuit over Facebook’s “Sponsored Stories” feature. Chief Privacy Officer Erin Egan, who outlined the changes to two legal documents, explained, “we revised our explanation of how things like your name, profile picture and content may be used in connection with ads or commercial content to make it clear that you are granting Facebook permission for this use when you use our services.” [The Wall Street Journal] See also: [US: Here’s The Most Amusing Way To Learn The Depressing News About Your Vanishing Privacy]

WW – Facebook Says Countries Sought Data on 38,000 Users First Half of 2013

In the first half of 2013, Facebook fielded governments’ requests for data on more than 38,000 Facebook users and complied with about 80% of those requests. That’s according to the social networking giant’s first report on the scale of data inquiries it receives globally. Of those, U.S. law enforcement authorities made the most requests, seeking data on between 20,000 and 21,000 users between January and June, the report states. That’s up from the amount of requests they made in the six month-period prior, which was roughly between 18,000 to 19,000. Authorities in India, the UK and Germany also requested data on large numbers of users. [Reuters] See also: [Researcher posts Facebook bug report to Mark Zuckerberg’s wall]

WW – LinkedIn to Allow Teens

Professional networking site LinkedIn will soon welcome teens ages 14 and up. The service was previously only available to users aged 18 and up, but it will launch “University Pages” in an effort to help college-bound students network. The change required LinkedIn staff to do some research on how to protect teens’ privacy online. Privacy settings for teens will include hiding birth dates, preventing their profiles from appearing in public search engines and only allowing their photos to be visible to “first-degree” connections. [Forbes]

US – Peter Swire Quits Group Tasked With Creating Out Do Not Track Standard

DNT of Co-Chairman Peter Swire has left the W3C’s working group tasked with creating a Do-Not-Track browser standard. “The 110-member international group was formed two years ago to unite all stakeholders on a tracking standard. But by the end of last year, the group was still nowhere near consensus, and browser companies such as Mozilla and Microsoft began to go their own way with their own browser solutions, causing a controversy with the interactive advertising community,” the report states. Swire, who was recently named to the Obama administration’s NSA review panel, wrote he is leaving due to the appointment, citing a “sense of responsibility” to serve on that panel, the report states. [Adweek] [FTC Getting Impatient on DNT]

Other Jurisdictions

NZ – New Zealand Government Passes NSA-Style Snooping Bill

New Zealand has passed a hotly-disputed bill that radically expands the powers of its spying agency. The legislation was passed 61 votes to 59 in a move that was slammed by the opposition as a death knell for privacy rights in New Zealand. The new amendment bill gives the Government Communications Security Bureau (GCSB) – New Zealand’s version of the NSA – powers to support the New Zealand police, Defense Force and the Security Intelligence Service. Opposition to the legislation has voiced concerns it will open the door to the NSA-style monitoring of New Zealand citizens in violation of their rights. A recent survey by Fairfax Media-Ipsos found that three quarters of New Zealand’s population is “concerned by the law.”[Source]

RU – Russian Senator Seeks Probe Twitter’s Compliance With Personal Data Law

Russian Sen. Ruslan Gattarov says Twitter’s privacy policies violate Russian and European data protection laws. Gattarov has asked the prosecutor general, the head of the federal communications agency and the Council of Europe’s data protection commissioner to conduct an investigation. He alleges certain parts of Twitter’s policies violate Russian users’ rights, including the omission of explanation for the reason personal data is collected and the lack of a translation of part of its policy into Russian. [Rapsi News]

WW – Tech Giants Concerned About Proposed Brazilian Law

Brazil is currently crafting its first nationwide set of data protection and Internet governance laws. Recent amendments to the country’s Internet Constitution, or the Marco Civil da Internet, have raised concerns among some U.S.-based tech companies. A new amendment would require data to be stored locally, causing representatives from Google and Facebook to raise red flags. Facebook’s Bruno Magrani has said the company is concerned because it would be “an enormous technical challenge” for the company and could jeopardize its service in Brazil. Part of the thinking behind storing data locally, according to Foreign Policy, is to protect Brazilians from U.S. government surveillance. [ZDNet]

Privacy (US)

US – Leaked NSA Audit Shows Agency Violated US Citizens’ Privacy

Leaked documents indicate that the US National Security Agency (NSA) has run afoul of privacy laws thousands of times since 2008. That year, Congress passed the FISA Amendments Act, which broadened the NSA’s data collection authority “in exchange for regular audits from the Justice Department and the Office of the Director of National Intelligence and … reports to Congress and the surveillance court.” Although NSA Director General Keith Alexander said that the agency has not abused surveillance powers and that it does not store data on US citizens, it has in fact done both. One of the leaked documents, a May 2012 NSA internal audit, listed nearly 2,800 incidents over the past year. [Washington Post] [WIRED] [The Register]

US – FISA Court Admonished NSA for Misrepresenting Surveillance Program

A document declassified by US intelligence officials shows that the Foreign Intelligence Surveillance Court criticized the NSA for providing misleading information about a surveillance program. The FISA Court opinion is reproachful of the NSA for misrepresenting the scope of the surveillance. The opinion found that some NSA surveillance activity violated the Fourth Amendment. [Washington Post] [ZDNet] [WIRED] [EFF.org]

US – President Meets with Surveillance Review Panel

President Barack Obama met with the panel he requested to review U.S. surveillance programs on the collection of telephone and Internet data for the first time on Tuesday. Obama announced the panel’s establishment earlier this month, saying, “It’s not enough for me, as president, to have confidence in these programs. The American people need to have confidence in them as well.” The panel will provide the president with interim findings in 60 days, and its goal is to examine how the U.S. “can employ its technical collection capabilities in a way that optimally protects our national security and advances our foreign policy while respecting our commitment to privacy and civil liberties.” [Bloomberg]

US – US Surveillance Guidelines Not Updated For 30 Years, Privacy Board Finds

Barack Obama’s new privacy watchdog has delivered its first bark, with a letter to intelligence chiefs urging them draft stronger rules on domestic surveillance, something it revealed had not been updated for 30 years. The intervention of the Privacy and Civil Liberties Oversight Board, its first since the appointment of new staff by the White House earlier this year, came as Obama acknowledged that technology was outpacing the checks put in place to protect privacy and said the National Security Agency was “scary to people”. Hours earlier, the Privacy and Civil Liberties Oversight Board (PCLOB) wrote to director of national intelligence James Clapper and the Department of Justice calling for them to begin formulating new guidelines to reflect recent advancements in surveillance capabilities. PLCOB also requested that “both the attorney general and the director of national intelligence work together to focus the attention necessary to update each element of the intelligence community’s procedures to collect retain and disseminate US persons’ information”. It said procedures should capture “both the evolution of technology and the roles and capabilities of the intelligence community since 9/11”. “Specifically, the board would appreciate receiving by October 31, 2013, an agency-by-agency schedule establishing a time frame for updating each agency’s guidelines,” added chairman David Medine. “In the meantime, the board would appreciate a briefing on the status of the guidelines and process for reviewing and updating them.” [Source]

US – FTC Announces $3.5M FCRA Settlement

The Federal Trade Commission (FTC) has announced a settlement with Cetergy Check Services, Inc., for failing to correct or delete inaccurate consumer information in a timely manner, violating provisions of the Fair Credit Reporting Act (FCRA). The agreement includes a $3.5 million civil penalty for the check-verification company due to “knowing violations…that constituted a pattern or practice of violations.” Meanwhile, the Future of Privacy Forum has recorded a podcast with Prof. Chris Hoofnagle about his essay “How the Fair Credit Reporting Act Regulates Big Data,” in which he points to consumer reporting as the first Big Data initiative and argues that use-based regulation hasn’t been effective. [Hunton & Williams’ Privacy and Information Security Law Blog]

US – OMB Releases Privacy Guidance on “Do-Not-Pay Lists”

Office of Management and Budget (OMB) Director Sylvia Mathews Burwell has released mandatory guidance for agencies implementing the “Do-Not-Pay List” of contractors considered ineligible for government work. The memo also outlines how this can be done while adhering to laws that protect privacy. The memo also lays out the legal procedures for using an online tool designed for a “single point of entry” through which agencies can access data on determining a contractor’s eligibility for a benefit, grant or contract award, the report states. [Government Executive] [FierceGovernment]

US – Coalition of AGs Protest Navigator Program

New hires under the Affordable Care Act could threaten the private information of health insurance candidates, says Florida Attorney General Pam Bondi. Joined by a dozen other Republican state AGs, Bondi wrote a letter to Department of Health and Human Services (DHHS) Secretary Kathleen Sebelius arguing that DHHS’s forthcoming “navigator” program—designed to help Americans navigate paperwork of the new healthcare system—puts patients at risk. Bondi said those hired as navigators will not undergo background checks, meaning individuals’ personal information could fall into the wrong hands. “What if they’ve been convicted of committing identity theft or grand theft before?” Bondi said. “They could potentially still become a navigator.” [The Hill]

US – Judge Says Changing IP Address and Using Proxies May Violate CFAA

A federal judge in California has ruled that changing IP (Internet protocol) addresses or using a proxy server to access a public website from which a user has been banned constitute violations of the Computer Fraud and Abuse Act (CFAA). The case involves a company that aggregated and republished advertisements from Craigslist. The company, 3taps, received a cease-and-desist letter from Craigslist, and Craigslist blocked IP addresses associated with 3taps. The company used alternate IP addresses and proxy servers to get around the blocks. [Ars Technica]

US – Opinion: Final FIPP Is Crucial for Federal Privacy Programs

As federal programs as diverse as the National Security Agency and the Drug Enforcement Agency come under scrutiny for their privacy practices, Mary Ellen Callahan, former CPO at the Department of Homeland Security, says federal agencies of all kinds can avoid privacy disasters by adhering to the most crucial of Fair Information Practice Principles: auditing and accountability. In this latest post for Privacy Perspectives, Callahan lays out in detail how privacy worked at DHS under her watch and why CPOs need “holistic investigatory authority.” [Source]

US – Opinion: Who’s the Most Active Enforcer? FTC or OCR?

Robert Gellman discusses recent FTC enforcement activities, writing, “I want to put FTC privacy activities into a perspective by comparing the FTC with the Office for Civil Rights (OCR), Department of Health and Human Services.” Gellman cites statistics, writing the FTC reported 153 cases from 1997 through February of this year, while the “OCR investigated 19,726 complaints that revealed a violation during the 10-year period ending in April 2013.” Gellman opines, “It seems to me that it is difficult to look at the numbers and still think that the FTC’s record justifies grand claims about the role of the FTC as a general enforcer of privacy standards in the commercial sector.” [Concurring Opinions]

US – Opinion: Should Smith v. Maryland Be Revisited?

With more focus on the recent dragnet collection of phone metadata by the National Security Agency, NPR explores whether the legal precedent—the 1979 case, Smith v. Maryland—needs to be revisited. Smith v. Maryland is at least one case that supports the third-party doctrine—when information is shared with a third party, a person’s expectation of privacy is diminished. Stanford University Prof. Jennifer Granick said, “Nothing in Smith v. Maryland authorized mass surveillance, and the information that was collected (in that case) is a much narrower category than the information that the government’s currently getting.” Since so much data is now shared with third parties—including location information from smartphones—individuals are constantly revealing their location, which “is not information that you voluntarily disclose to anybody,” Granick added. [NPR]

Privacy Enhancing Technologies (PETs)

WW – Support for Anti-Tracking Wear on the Rise

When the developers of “OFF Pocket,” a sleeve for smartphones that blocks incoming phone signals, WiFi, GPS and Internet connections, launched their kickstarter campaign looking for $35,000, they ended up raising $56,447. NPR blogger Robert Krulwich offers his views on why the campaign was so successful. At some point, news of the U.S. government’s warrantless data collection combined with a proliferation of surveillance devices will “make us wonder… ‘Who’s watching me?’” he writes, adding, “once we start wondering, it’s only natural to think about protecting ourselves—and that’s the change, I suspect, that has just begun.” After its kickstarter success, OFF Pocket may go commercial, but concerns about use by terrorists have caused designers of other surveillance-blocking attire to hold back their technologies. [Source] See also: [Female football fans crying foul over ban on purses at all NFL stadiums]

WW – Companies Enhancing Ways to Go Incognito

Companies that offer secure online communication services are increasingly pushing private texting applications over encrypted e-mail. While consumer e-mail programs require authentication credentials—which are then stored in a database—for user login capabilities, the companies say the encryption for smartphone-based services happen on the device, so there is no way to unencrypt the messages remotely. Both Apple and Android secure messaging services say they have seen an increase in downloads in the past month. Meanwhile, a new website called justdelete.me collects on one page links that will delete online accounts, including social media, photo-sharing and shopping accounts, simplifying the process of vanishing from the Internet. [The Wall Street Journal]

RFID

US – FDA Publishes Security Guidance for Wireless Medical Devices

The US Food and Drug Administration (FDA) has published radio frequency guidance for wireless medical devices. The guidance includes information about authentication and encryption to prevent hackers from gaining control of the devices. [Health IT Security] [FDA.gov]

WW – RFID Identifies Drunk Individuals Before They Drive

A radio frequency identification system tested for two weeks in April 2013 at Singapore night club Zouk may have prevented alcohol-related traffic accidents, by warning parking attendants not to hand over car keys to inebriated patrons. The solution, known as the Pee Analyser, was developed by DDB Group Singapore, an advertising and marketing agency, at Zouk’s request. The technology was designed to make it easy to ascertain an inebriated individual’s blood-alcohol level before he begins driving. The trial’s focus was only on men, the company reports, since they account for 90% of drunk-driving arrests in Singapore. At Zouk Singapore, two urinals were equipped with devices that measure the blood-alcohol content of an individual’s urine. A ThingMagic Astra ultrahigh-frequency (UHF) RFID reader was installed near the urinal. During the pilot, as a male patron arrived at the club, he was provided with a valet ticket containing an embedded passive UHF RFID transponder. As that customer used the urinal throughout the evening, the sensors in the toilet determined the amount of alcohol in his urine. If that number exceeded the legal limit, the sensor transmitted a prompt via a wired connection to a computer, also wired to the ThingMagic reader—which, in turn, wrote that information to the patron’s ticket. The sensor then instantly reset, thereby allowing consecutive readings. For those possibly unfit to drive, the system displayed an alert on a video monitor above the urinal, stating: “You may have had one too many to drive. Call a cab, or use our drive home service.” An additional interrogator was mounted at the parking area in front of the nightclub. This device read every male patron’s card, and a screen displayed any warnings of high blood-alcohol levels, enabling the valet staff to determine whether or not to turn over each individual’s car keys. [Source]

NZ – Bar’s Toilet Cameras Spark Outrage

A Christchurch bar has sparked outrage after it installed cameras in its toilets in a bid to catch vandals and increase security. Popular music venue Dux Live says it was forced to introduce the in-toilet security system after a rising vandalism problem last year. The cameras have been approved by police and are even admissible as evidence in criminal courts, bar management says. This week, the Lincoln Rd bar posted footage from the cameras on its Facebook page to try to catch some people they allege to have done damage in the toilets. General manager Ross Herrick says he wants to “name and shame” bar-goers who were trying to steal framed pictures of famous musicians from the toilet walls. He denies it’s a breach of privacy, saying: “If you’re not doing anything wrong, you’ve got nothing to worry about.” Sensitive areas of the footage is blacked out, while the footage is only reviewed if there has been an issue, Mr Herrick says. “Only the guilty need be worried and only the perverted mind would think it possible that the camera’s were to be used in an indecent way,” he said. [Source] SEE ALSO: [Paris suburb to fight dog droppings with CCTV cameras]

Security

US – Cybersecurity Policy Developments Roundup

In February, President Obama signed an Executive Order that put into motion a number of initiatives aimed at improving the cybersecurity posture of the “critical infrastructure” of the United States. Among the Order’s most significant provisions is Section 7, which directs the Commerce Department via its National Institute of Standards and Technology (NIST) to develop a voluntary Cybersecurity Framework for reducing cyber risks to critical infrastructure. The Framework must be technology neutral and include “standards, methodologies, procedures and processes that align policy, business and technological approaches to address cyber risk.”

NIST is already well on its way to developing the Framework, which is expected to be widely influential. On July 1, NIST published a draft outline of the Framework, and NIST aims to publish a Draft Preliminary Cybersecurity Framework for stakeholder review and input in late August. In September, NIST will hold its fourth and final Framework workshop, which will focus on the August draft and other topics to be announced. NIST expects to publish the Preliminary Framework for formal public comment on October 10. Under the Executive Order, the Final Framework must be published by February 2014.

On July 30, the Senate Committee on Commerce, Science and Transportation unanimously approved the Cybersecurity Act of 2013, which would codify NIST’s role in developing the Cybersecurity Framework. The bill’s directives to NIST largely track the language contained in the Executive Order, and the bill further emphasizes that NIST should “coordinate closely and continuously” with the private sector in developing the Framework.

The Cybersecurity Act of 2013 has bipartisan support, being written by Senators Rockefeller (D-WV) and Thune (R-SD). And it has received support from business associations. The U.S. Chamber of Commerce, which has opposed cybersecurity legislation establishing regulatory-based cybersecurity standards (including the Cybersecurity Act of 2012, also introduced by Sen. Rockefeller), has endorsed the Commerce Committee’s bill. The Chamber wrote that the “bill takes smart and practical steps” in authorizing NIST to collaborate with industry in developing the Framework. “[P]ublic-private collaboration is essential to successfully countering highly adaptive cybersecurity threats,” noted the Chamber, and the Chamber welcomed the bill’s narrowly tailored industry focus. The Software & Information Industry Association has also endorsed the legislation.

The bill does not include measures relating to information-sharing programs, which have been generally viewed by industry and key policy makers as important elements of cybersecurity legislation. Recent revelations regarding the National Security Agency’s data-gathering operations will make it more challenging to draft acceptable privacy and civil liberties protections into such information-sharing legislation. Nor does the bill include measures relating to new Securities and Exchange Commission disclosure requirements, despite significant attention to these topics by Sen. Rockefeller. In response to Sen. Rockefeller’s request earlier this year, however, SEC Chair Mary Jo White noted that her staff is conducting an internal review of whether additional or new cybersecurity disclosure guidance is needed.

Meanwhile, the White House is working on ways to incentivize industry to adopt the Framework. On August 6, the White House released “Incentives to Support Adoption of the Cybersecurity Framework,” which summarizes eight incentive areas identified by the Departments of Homeland Security, Commerce and Treasury:

  • Cybersecurity Insurance: Collaborate with the insurance industry to “build underwriting practices that promote the adoption of cyber risk-reducing measures and risk-based pricing and foster a competitive cyber insurance market.”
  • Grants: Adoption of the Framework should be a condition or weighted criterion for receiving federal critical infrastructure grants.
  • Process Preference: Prioritize delivering technical assistance to operators of critical infrastructure based in part on whether those operators have adopted the Framework. Although, adoption of the Framework would not factor in to the prioritization of assistance delivered in incident response situations.
  • Liability Limitation: Agencies will consider whether reduced tort liability, limited indemnity, higher burdens of proof or the creation of a federal legal privilege preempting state disclosure requirements will encourage industry to adopt the Framework.
  • Streamline Regulations: Agencies will work to streamline compliance obligations by, among other things, eliminating overlaps between the Framework and existing laws and regulations and allowing for equivalent adoption of the Framework across regulatory structures.
  • Public Recognition: Consider whether giving the option to those who adopt the Framework to receive public recognition would incentivize participation.
  • Rate Recovery for Price Regulated Industries: Consider whether the regulatory agencies that set utility rates should allow utilities to recover cybersecurity investments related to Framework adoption.
  • Cybersecurity Research: Agencies recommend identifying where new solutions are needed to implement the Framework and supporting research and development to fill those gaps.

Because the Cybersecurity Act of 2013 codifies what the White House and agencies are already working to implement and because the bill has bipartisan support and the endorsement of business groups, the legislation has a reasonable chance of becoming law. With the draft Framework coming in a little more than a month, now is a good time for organizations of all types to consider the implications of these new cybersecurity standards. [Source]

US – NIST Releases Cybersecurity Draft Framework

The US National Institute of Standards and Technology has released a preliminary cybersecurity draft framework outlining standards and guidelines to support President Obama’s “Improving Critical Infrastructure Cybersecurity” executive order issued in February of this year. The NIST document states “The framework, developed in collaboration with industry, provides guidance to an organization on managing cybersecurity risk, in a manner similar to financial, safety, and operational risk.” A spokesperson for NIST said the document is a discussion draft ahead of NIST’s upcoming meeting in September where officials will meet with industry to discuss cybersecurity and help shape the forthcoming framework. [FCW] [Federal Times] [PCWorld] [NIST.gov]

US – Documents Reveal U.S. Launched 231 Offensive Cyber Operations in 2011

Classified budget documents released by Edward Snowden to the Washington Post reveal that the U.S. government launched 231 offensive cyber operations in 2011. The documents provide details of a budget aimed at breaking into foreign networks so that they can be put under the control of the U.S. The top countries targeted are China, Russia, Iran and North Korea. The documents outline that the NSA develops most of its software, but that it has devoted US$25.2 million for the “additional covert purchases of software vulnerabilities” from private research companies. According to an emailed statement from the NSA to the Washington Post “The Department of Defense does engage” in computer network exploitation but “The department does ***not*** engage in economic espionage in any domain, including cyber.” [Washington Post] [Atlantic Council] [Net-Security] [WIRED]

WW – Survey Confirms Woeful State of Application Security

In its “Current State of Application Security Report” the Ponemon Institute confirms most organizations surveyed have very lax application security. The survey reveals that 90% of all security vulnerabilities are at that application layer yet only 20% of IT security spending is at this level. The bulk of the security budget, the remaining 80%, focuses on networks and endpoint systems. The survey also reveals a serious disconnect between what senior management believes to be in place in relation to application security and what technical staff say is actually in place. Of the senior executives interviewed for the report, 71% believed that application security training is available and up to date. When asked the same question only 20% of technical staff agreed. Speaking about the results Larry Ponemon, founder of the Ponemon Institute, said “Hopefully, our findings stimulate awareness of the importance of application security as part of an organizations’ overall risk management strategy, and encourages dialogue between executives and practitioners to ensure a common understanding of how to build and deploy more secure software applications”. [InfoSecurity] [Net-Security]

US – FBI and DHS Concerned About Android Vulnerabilities

According to an unclassified US government document, the FBI and the Department of Homeland Security (DHS) are concerned about security flaws in the Android operating system. Specifically, the document outlines concerns about threats faced by law enforcement officers and officials who are using devices running older versions of the operating system. The document says, “Android is the world’s most widely used mobile operating system and continues to be a primary target for malware attacks due to its open source architecture.” It also offers mitigation advice for certain types of threats. [CNET] [PublicIntelligence]

US – How Did Snowden Access All That Data?

The US government is having difficulty figuring out exactly what data Edward Snowden took while working as a contractor at the NSA because Snowden was careful to hide his digital footprints by deleting or bypassing electronic logs. The incident illustrates problems inherent in the structure of the data systems if they were so easily defeated. It also appears to refute assurances from the government that NSA surveillance programs are not subject to abuse because they are so tightly protected. [NBC] [ZDNet]

Smart Cards

US – Retailers Tops Concerns are Compliance and Security Vulnerabilities

A report assessing computer security for retailers and retail processing systems has identified compliance with PCI DSS is a major concern. Many of those surveyed stated the amount and variety of store systems they employ makes it increasingly difficult to manage vulnerabilities across all those platforms. While many of those surveyed showed a clear understanding of PCI compliance, they highlighted the challenge is ensuring all these systems comply with PCI. On average only 22% of those surveyed said they trusted the manufacturers of these systems to provide security. [Yahoo] [Net-Security]

Surveillance

US – Skepticism Over NSA Review Board; Massive “Black” Budget Revealed

Opinion is streaming in surrounding U.S. President Barack Obama’s creation of an independent board to investigate the NSA’s surveillance operations, and much of it is highly critical. Focus is generally on Obama’s promise that the experts on the panel would be “outsiders” and commenters’ opinion that the members of the panel are anything but—save Peter Swire. Also, The Washington Post has major revelations derived from a leaked copy of the U.S. intelligence community’s “black budget” Some revelations: The CIA’s budget is 50% larger, at $14.7 billion, than the NSA’s budget. The intelligence community was already worried about employees of contractors having too much access and had plans to reinvestigate at least 4,000 people this year with high-level security clearances. The CIA and NSA already are hacking into foreign computer networks to steal information and sabotage enemy states.• Counterterrorism plans account for one third of the entire intelligence spend. [The Privacy Advisor]

US – Leaked NSA Audit Reveals Thousands of Privacy Violations

The National Security Agency (NSA) broke privacy rules or overstepped its legal authority thousands of times each year, beginning in 2008. Most violations concerned unauthorized surveillance of U.S. citizens or foreign intelligence targets in the U.S. This roundup for The Privacy Advisor brings together thoughts from former DHS CPO Mary Ellen Callahan,, the leaked documents, government responses—including from the NSA and Sen. Dianne Feinstein (D-CA)—as well as reported comments from Reggie B. Walton, chief judge of the FISA court, who said the court is limited in its government oversight. Additionally, in a letter to the EU’s justice commissioner, the Article 29 Working Party’s head explores investigating whether EU data protection law has been violated. [The Washington Post]

US – Talks on Surveillance Transparency Break Down

In June of this year both Microsoft and Google filed lawsuits against the U.S. government to allow them to publish more details about the surveillance requests they receive from U.S. government agencies.

However, negotiations between the two companies and U.S. government representatives broke down leading to Microsoft and Google moving forward with their lawsuits. In a blog post on Microsoft’s website, Microsoft’s General Counsel Brad Smith said “We both remain concerned with the Government’s continued unwillingness to permit us to publish sufficient data relating to Foreign Intelligence Surveillance Act (FISA) orders. We believe we have a clear right under the U.S. Constitution to share more information with the public.” [Computer Weekly] [CIO.com] [TechNet]

US – School District to Monitor Students’ Social Media Posts

A California school district has hired a company to monitor and analyze students’ public social media posts. Aiming to intervene when students are in danger related to cyberbullying, substance abuse or despair, among other risks, the school will receive a daily report of student posts on sites such as Facebook, Instagram, YouTube and Twitter from company Geo Listening. The school district’s superintendent said the program means another opportunity to keep kids safe at all times, but some parents have concerns that the program is “big brother-ish.” [Los Angeles Times] [Privacy Advisor] See also: [Toronto schools won’t send ‘fat letters’ home]

US – State Board of Education Adds Student Data Privacy Provision

The Idaho State Board of Education Aug. 15 approved an addition to existing policy to further protect student identifiable data and ensure the privacy of all data is held to the highest standard, said Marilyn Whitney, spokesperson for the board. The Idaho Data Management Council, established in 2011 and overseen by the board, makes recommendations on the oversight and development of Idaho’s Statewide Longitudinal Data System (SLDS) and oversees the creation, maintenance and use of that system. The intent of the SLDS is to provide more and better information to Idaho education leaders, policymakers, students, parents and taxpayers to help inform decision making. The SLDS is an important tool for gathering, analyzing, and reporting progress toward the state’s education goals. The action added to the current policy regarding data protection by stipulating “the privacy of all student level data that is collected by the SLDS will be protected. A list of all data fields (but not the data within the fields) collected by the SLDS will be publicly available. Only student identifiable data that is required by law will be shared with the federal government,” Soltman said. [Source]

Telecom / TV

US – Telecoms Want FTC as Regulator

The biggest U.S. cable and telecommunications companies are lobbying for a relaxation of privacy rules to allow them to sell data on customers’ telephone use. The companies want to be regulated more like private companies such as Google and Facebook rather than public utilities, arguing the regulatory landscape hasn’t kept pace with technological advances. The change, which would require new legislation, would transfer oversight of the companies from the Federal Communications Commission to the FTC. FTC Privacy and Identity Protection Associate Director Maneesha Mithal supports the shift, saying current law seems “gerrymandered to have a carve-out on mobile.” Not everyone agrees. [Financial Times]

US – Gov’t Wants Court to OK Warrantless Cellphone Searches

The Obama administration has asked the Supreme Court to rule that police are free to search the contents of an arrested individual’s cellphone without a warrant. A First Circuit Court kept intact a ruling that searches are unconstitutional, but the administration wants the decision overturned, arguing that “police have long had the authority, without a warrant, to search items that are found on a person whom they arrest” and that creating exceptions on an “item-by-item” basis would complicate police enforcement. [SCOTUSblog]

US Government Programs

US – NSA Gathered E-mails Prior to FISA Court-Ordered Revision

A newly declassified Foreign Intelligence Surveillance Court (FISC) opinion from 2011. The 85-page opinion , released by U.S. intelligence officials, states that the NSA estimated the agency had collected as many as 56,000 “wholly domestic” communications per year. In the opinion, FISC Chief Judge John D. Bates wrote, “For the first time, the government has now advised the court that the volume and nature of the information it has been collecting is fundamentally different from what the court has been led to believe,” adding in a footnote, “The court is troubled that the government’s revelations regarding NSA’s acquisition of Internet transactions mark the third instance in less than three years in which the government has disclosed a substantial misrepresentation regarding the scope of a major collection program.” [The Washington Post]

US – NSA Paid Millions for Tech Companies’ Compliance with PRISM

Although major US technology companies have denied their knowing participation in the NSA’s surveillance program known as PRISM, recently disclosed documents show that the NSA footed the bill for the companies’ compliance to the tune of millions of dollars. [ZDNet]

US – NSA Allegedly Spied on UN offices and EU Embassies

The latest revelations from Edward Snowden, which were published in the German magazine Der Spiegel, claim the NSA spied on the offices of the UN and also EU embassies. The article claims the NSA not only breached the security of the EU embassies in Washington and New York but also the VPN between them. The article also outlines that while in the networks of the EU embassies, the NSA detected attacks allegedly originating from China and were able to hack back into the Chinese systems. The revelations have caused further outrage amongst EU countries, especially in light of the recent trade negotiations between the US and the EU. [Spiegel] [InfoSecurity]

US – PCLOB to U.S. Intelligence: Update Data-Gathering Guidelines Now

News that NSA analysts knowingly violated surveillance authority over the past decade, and were in fact disciplined for it, is just the latest information drawing attention to U.S. intelligence data-gathering activities. That scrutiny now looks to be leading to active changes. In its first major missive since its resurrection earlier this year, the Privacy and Civil Liberties Oversight Board has sent a letter to U.S. Attorney General Eric Holder and Director of National Intelligence James Clapper telling them the board believes that “key policies and procedures addressing privacy and civil liberties should be kept up to date to take into account new developments including technological advancements.” We roundup this news, a new agreement Germany would like to iron out with the Obama Administration and why the NSA might be a topic at enormous music and tech festival SXSW. [Privacy Advisor]

US – Drug Agents Grab More Data than NSA; ‘Profound Privacy Concerns’

When it comes to subpoenaing telephone records, U.S. drug agents may take the trophy from the National

New information revealed by The New York Times on a counterdrug program called The Hemisphere Project shows the federal government has been paying the telecommunications company, AT&T, to task workers on missions for the Drug Enforcement Agency and for detectives who work at local law enforcement levels. The phone workers’ job: to give law enforcement telephone records and related data that dates back to 1987. The NSA, meanwhile, only stores telephone data for five years. And that data is confined to the telephone numbers, the time of call and the duration of call. The Hemisphere Project sweeps in every call that travels through an AT&T switch point — not just every call placed by an AT&T customer. The program falls under the purview of the White House Office of National Drug Control Policy, The Times said. The Obama administration said not to worry — that the telephone data is stored only by AT&T, not the government, Fox News said. The government can only access the information via “administrative subpoenas” from the DEA, the White House said. American Civil Liberties Union, meanwhile, is outraged. The Hemisphere Project raises “profound privacy concerns,” said Jameel Jaffer, deputy director of the ACLU. “I’d speculate that one reason for the secrecy of the program is that it would be very hard to justify it to the public or the courts,” he said, Fox News reported. [Source]

US – DOC’s Cameron Kerry Tries to Reassure Europe Over NSA Spying

As he prepares to leave the Department of Commerce, General Counsel Cameron Kerry gave a speech Wednesday at the German Marshall Fund of the United States aimed to reassure European officials that the NSA is not violating their privacy rights. Kerry said it would be a sad outcome if the NSA disclosures led to “Internet policy-making and governance in which countries became a series of walled gardens with governments holding the keys to locked gates. But that is where we will end up if all data has to stay on servers located in the nation in which a citizen lives or where a device is located.” [The Hill]

US – Facebook Releases First Transparency Report

In its first ever transparency report, Facebook revealed that for the first six months of 2013 it received 25,000 requests from governments about Facebook users. Up to half of the requests came from US government agencies. Colin Stretch, Facebook’s general counsel, revealed that many of the requests related to criminal cases. The information requested in most cases related to basic subscriber information, such as name and length of membership. In other cases the requests looked for additional information such as IP addresses or account content. Facebook also revealed that it did not respond to every request saying that it responded to 79% of the requests from the US government. [ComputerWorld] [InfoSecurity] [Facebook]

US Legislation

US – Gov. Signs Bill to Regulate Law Enforcement Drone Use

Illinois Gov. Pat Quinn has signed a bill that will regulate law enforcement’s use of drones. State Sen. Daniel Biss (D-Ninth District) sponsored the bill and said it helps to maintain a reasonable expectation of privacy, the report states. The American Civil Liberties Union supports the bill, calling it reasonable. The bill includes exceptions for when the Department of Homeland Security decides surveillance is necessary to prevent a terrorist attack. [The Republic]

US – States Taking Lead in E-mail, Location Privacy

After delays in congressional efforts to update the Electronic Communications Privacy Act (ECPA), some states are taking matters into their own hands. Texas and Montana have both passed e-mail privacy laws—and Montana went a step further, becoming the first in the nation to pass location-tracking legislation. Maine passed a law requiring a warrant for police to access text messages, and Massachusetts lawmakers are considering an e-mail and geolocation privacy bill for mobile device data. New York and Florida have also announced plans to tackle this issue in their next session. But, as the report states, “state-level laws cover only state-level authorities and can’t compel federal investigators. For that, there must be congressional action.” [The Washington Post]

US – Illinois Gov. Signs Student HIV Privacy Law

Illinois Governor Pat Quinn signed into law a bill to protect the privacy of students with HIV. The law, introduced by state Rep. La Shawn Ford (D-Chicago) means that the state Department of Public Health and local health departments are no longer required to notify school principals of a student’s positive HIV status. Ford has been trying to get this bill passed since 2008, noting that it is “not only important for the privacy and confidentiality for students, but is also important for public health.” [Austin Weekly News]

US – New Jersey 12th State to Pass Workplace Social Media Law

New Jersey Gov. Chris Christie has signed A2878, a law restricting employer access to the social media accounts of employees and perspective employees, making the state the 12th to pass such a law. The terms provide exceptions for certain law enforcement-related agencies and allow for employers to implement and enforce policies on company-issued devices accounts or services; conduct investigations, and comply with requirements of the law. Employers who violate the law may face civil penalties of as much as $1,000 for the first violation and $2,500 for each subsequent violation. [Mondaq]

US – Advocacy Groups Oppose $8.5M Settlement

Advocacy groups including the Electronic Privacy Information Center, Consumer Watchdog, Center for Digital Democracy, Patient Privacy Rights and Privacy Rights Clearinghouse are opposing Google’s settlement in a privacy lawsuit, writing to U.S. District Court Judge Edward Davila that the donation of $8.5 million to nonprofit groups and schools should be rejected. While the groups cite several reasons, “the most significant is that the deal allows Google to continue engaging in the same activity that led to the lawsuit—leaking the names of people who use its search engine,” the report states, noting, “The only difference for Google is that the deal requires it to revise a section of its privacy policy.” [Media Post Blogs]

US – One-Hour Breach Reporting Provision Scrapped

A proposal that would require state health insurance exchanges to report data breaches to federal regulators within an hour of their discovery has been dropped from the final regulation. Instead the Department of Health and Human Services (HHS) will rely on the “strict” breach reporting provisions included in the HHS final rule, to be published in the Federal Register, slated to take effect by October 1. [GovInfoSecurity]

US – FTC Reaches First “Internet of Things” Settlement

TRENDnet, a maker of Internet-connected home video cameras, has agreed to settle with the FTC over charges “that its lax security practices exposed the private lives of hundreds of consumers to public viewing on the Internet,” an FTC press release states, adding, “This is the agency’s first action against a marketer of an everyday product with interconnectivity to the Internet and other mobile devices—commonly referred to as the ‘Internet of Things’ (IoT).” The FTC alleges the business failed to use “reasonable security to design and test its software, including a setting for the cameras’ password requirement.” Under terms in the settlement, TRENDnet must not misrepresent the security of its products and must create a comprehensive information security program and undergo a biannual third-party audit for the next 20 years. The FTC will host a roundtable in November exploring the privacy issues surrounding the IoT. [FTC press release]

US – California to Require Do-Not-Track Disclosures

The California Senate and Assembly passed an amendment to the California Online Privacy Protection Act, which the governor is expected to sign, that will require commercial websites and services that collect personal data to disclose how they respond to Do-Not-Track signals. California Assemblyman Al Muratsuchi (D-66th District) introduced the bill, which was also sponsored by Attorney General Kamala Harris—who’s been pushing for privacy protections and consumer privacy enforcement actions. The bill does not prohibit tracking but “does require websites to choose sides to either honor or ignore Do-Not-Track browser signals,” the report states. [Adweek]

US – California Suspends RFID Legislation

In the wake of concerns from privacy groups, California legislators have suspended SB 397, which would have allowed RFID chips to be embedded into driver’s licenses and state identification cards. California’s Assembly Appropriations Committee put the legislation on hold “despite it having been approved by the California Senate, where it likely will be reintroduced in the coming months,” the report states, noting, “Had the measure passed, it would have transformed the Sunshine State’s standard form of ID into one of the most sophisticated identification documents in the country, mirroring the four other states that have embraced the spy-friendly technology.” [Wired]

US – State Bill Would Track Drivers’ Mileage

Oregon lawmakers have approved a bill that would tax drivers not on the amount of gas their cars burn but on the number of miles driven. The program, which would commence in 2015 with volunteers, would use technology to track driver’s mileage, but that has raised concerns about government surveillance of driving habits. In response to such concerns, the legislation limits who can see the information reported by tracking devices and requires the state and private entities tracking the data to destroy location information from participating drivers within 30 days of using it for billing. [Stateline].

Workplace Privacy

CA – Privacy Watchdog Says Companies Allowed to Track Employees with GPS

Do you like the idea of your employer being able to track your every movement via GPS? Probably not. But an adjudicator with the Office of the Information and Privacy Commissioner says that, under certain circumstances, it’s reasonable for a company to monitor employees using GPS technology. Members of the International Union of Elevator Constructors complained that ThyssenKrupp Elevator Ltd. and Kone Inc. were tracking employees via GPS, which they argued was an illegal intrusion into their personal privacy. But BC’s privacy watchdog says it’s reasonable for companies to use GPS technology to ensure workers are where they say they are, to manage staff, and/or to confirm billing. ThyssenKrupp attaches GPS devices to work vehicles, while Kone goes so far as issuing employees GPS-enabled smartphones. The only concern the Office of the Information and Privacy Commissioner was that ThyssenKrupp did not provide adequate notice to workers regarding GPS tracking. The company has been ordered to stop using GPS on employees until it informs its staff properly. [Source] See also: [How Surveillance Changes Behavior: A Restaurant Workers Case Study]

US – Web Privacy Bill Moving Forward In Wisconsin

A proposal that would make it illegal for Wisconsin employers to ask workers or job applicants to turn over their passwords to social media accounts such as Facebook is moving forward in the Legislature. A Senate committee has scheduled a recent hearing on the bill. That comes after an Assembly committee heard the measure in May. The bill has broad bipartisan support and it could be taken up by the full Legislature as early as next month. The movement to pass such laws is gaining steam across the country as employers have asked for employees’ user names and passwords to personal accounts. Some employers argue they need that access to protect proprietary information or trade secrets in order to comply with federal financial regulations. But others see it as a blatant invasion of employee privacy. “It’s not something that’s happened a lot,” said Sen. Glenn Grothman, sponsor of the bill and chairman of the Senate Judiciary Committee that is holding Tuesday’s hearing. He said the measure was designed to prevent “a busybody boss or busybody college administrator, or landlord for that matter, from looking at your private account.” [Source]

AU – AAMI Customers Use Privacy Breach in Their Favour

The blind carbon copy (BCC) button on emails exists for a very good reason. Unfortunately one of AAMI’s managers failed to use it the day she sent a message to 110 private addresses. Even worse than releasing private emails, the message went to all the people with ongoing disputes against AAMI with the Financial Ombudsman Service. Now the email has accidentally united a group of people, already very unhappy with one of Australia’s largest insurers, and who are now exploring the possibility of launching a class action. AAMI spokesman Reuben Aitchison said the email from a customer relations manager was a “simple but unfortunate human error involving a small number of customers. “Email addresses were inadvertently placed in the ‘To’ field of the email, rather than in the ‘BCC’ field. As soon as we realised our error, we contacted each affected customer to apologise, explain what happened and assure them that no other personal information was revealed.” Mr Aitchison said AAMI, owned by Suncorp, has provided further training to the staff member and used it as a reminder for the rest of the company about email protocols. [Source]

 

+++

 

01-15 August 2013

Biometrics

WW – PayPal Tests Mobile Payments Using Your Face for Verification

PayPal is rolling out a new trial for British consumers to see if they really can leave their wallets at home. Recently kicking off in London borough Richmond upon Thames, the test includes 12 different merchants set up to accept PayPal payments. Using the PayPal app for iOS, Android, or Windows Phone, potential customers can see nearby participating merchants highlighted on their mobile phones. They can then check in by clicking on the merchant’s name and sliding a pin down the screen. When purchasing an item, the customer’s name and photo pop up on the store’s payment system. An employee clicks on the photo to initiate the payment. The customer then gets a notice and receipt for the transaction on their phone.  Though only a dozen retailers are part of the test, PayPal expects that more than 2,000 merchants will be able to accept the PayPal payments by the end of 2013, Sky News added. And PayPal has grander ambitions beyond this year. [Source]

WW – Intel Drops TV Facial Recognition After Privacy Fears

Intel has confirmed that its upcoming TV service will not include a camera looking at viewers, but it will still record a massive amount of content and store it in the cloud. Intel officials plan to begin selling a set-top box and services later this year that will let users receive live and recorded programming over the Internet, the latest move by a growing number of tech vendors that are looking for ways of leveraging the Web to improve people’s TV viewing experience. The idea was that the camera, through software, could recognise the faces of the viewers, and personalise the programming and ads based on who was watching. The idea of the camera looking into the room and seeing and recording who was watching what content sparked some controversy from people who worried about the data being collected and an invasion of privacy. Huggers said that the camera and its facial-recognition software was postponed for now, not only over privacy concerns but also because the technology did not work well in the low lighting that is found in many TV rooms. [Full story]

Canada

CA – Global Sweep Highlights “Significant” Shortcomings

The Office of the Privacy Commissioner of Canada (OPC) has released the findings of the first-ever Global Privacy Enforcement Network Internet Privacy Sweep, noting “shortcomings in how some online organizations provide information about their privacy practices.” The OPC’s blog includes key details as well as screenshots from the sweep. “While we did see some good examples that demonstrated it is possible to create transparent privacy policies, unfortunately, we also found some sites with no policies or that offered only brief, over-generalized statements about privacy,” said Canadian Privacy Commissioner Jennifer Stoddart, noting one “particularly disappointing example…was a paternity testing website with a privacy statement so skimpy it would fit into a tweet.” [Source]

CA – N.S. Cyberbullying Legislation Allows Victims to Sue

Stricter cyberbullying legislation is now in place in Nova Scotia, giving victims the ability to sue alleged cyberbullies. The protections for victims of cyberbullying are part of the new Cyber-Safety Act, implemented by Justice Minister Ross Landry this week, aimed at protecting victims and holding bullies responsible. If alleged cyberbullies are minors, the new legislation allows victims to hold the bully’s parents responsible. The legislation allows victims to apply for protection orders to place restrictions on, or identify, the cyberbully. [Source] See also: [UK teen’s suicide prompts calls to shut down website that allows anonymous internet bullying]

CA – Via Rail Considers New Security Checks for Passengers

Taking a train in Canada could soon become more like boarding an airplane as Via Rail considers greater scrutiny of checked baggage, more inspections by sniffer dogs and security checks on passengers.  The measures, outlined in documents released under the Access to Information Act, are being considered in direct response to the alleged terrorist plot to derail a train that led to arrests in April, said a Via Rail spokesman. At a House of Commons committee in May, a senior Via Rail official said the train service was considering whether to ask all of its travellers for identification before they board, which does not take place routinely. The spokesman says the idea, including regular checks of passenger names against security databases, is still being studied, but could be a “fairly expensive proposition” given that Via serves 450 communities spanning 12,500 kilometres of track. Via Rail currently does random searches and X-rays of baggage, uses sniffer dogs at stations and observes passengers for telltale signs of suspicious behaviour, Gagnon said. “Our employees are trained to detect body language.” Via Rail briefing notes prepared in May, released this month to The Canadian Press under the access law, indicate the passenger train service is looking at:

  • ensuring all checked baggage can be linked to an on-board passenger, a standard practice for airlines;
  • more frequent patrols by sniffer dogs to scrutinize baggage and conduct walkabouts in Montreal, Toronto, Quebec City, Ottawa and Vancouver;
  • additional security measures for the Via-Amtrak train during the Canadian leg of its journey, including mandatory identification checks on all passengers.

In addition, Via Rail has already implemented two ideas from the working group — beefed-up vigilance training for staff and stricter certification standards for members of the train service’s safety, security and risk management division. There is no timeline for making additional improvements, though a status report is to be delivered at a Via Rail board meeting at the end of August in Saskatoon, he said.[Source]

Consumer

US – Study: Consumer Reaction to NSA Could Hurt Ad Targeting

A study reveals that consumer concerns about online privacy have jumped from 48% to 57% since the National Security Agency surveillance programs were first disclosed in June. The findings, according to the report, could have “huge implications for the targeted advertising” industry because users will likely alter privacy settings and block tracking. The study also noted, if similar trends continue and some browser makers block third-party cookies by default, “the ad industry’s ability to effectively use third-party cookies for marketing purposes will decrease.” The study also found that 31 percent said they now actively take steps to protect their privacy online. [AdWeek]

US – Chronic Retail ‘Returners’ May Be Tracked

The Huffington Post reports on retailers’ tracking of customers’ merchandise returns. Citing fraud and security risks, companies such as Best Buy, JC Penney, Victoria’s Secret and Nike say they must create profiles on individual customers’ returns at their stores. The stores use third parties to create “return profiles” and report back to the retailer, but consumer advocates say the practice violates privacy because of a lack of transparent disclosures. The practice led to a lawsuit against Best Buy recently, though the case was eventually dismissed. [Source]

EU – U.S. & Germany to Enter No-Spying Agreement, Says German Government

The U.S. has verbally committed to enter into a no-spying agreement with Germany in the wake of disclosures about the U.S. National Security Agency’s secret surveillance programs. The verbal commitment was given in talks with the German Federal Intelligence Service (Bundesnachrichtendienst, BND), the sole foreign intelligence service of Germany, the German government said in a news release. This means that there must be no governmental or industrial espionage between the two countries, it said. More common standards for the cooperation of E.U. intelligence services are in progress, the German government added. No further details about the agreement were given. The German Federal Ministry of the Interior reached on Monday could not immediately respond to a request for comment. The no-spying agreement talks were announced as part of a progress report on an eight-point program proposed by German Chancellor Angela Merkel in July with measures to better protect the privacy of German citizens. The plan was drafted “due to the current discussions about the work of the intelligence services,” the German government said. [Source] See also [Germany demands sanctions for US firms over privacy]

E-Government

CA – BC Liberals Did Not Violate Privacy Laws in Ethnic Scandal: Report

The provincial government did not give private personal information to the B.C. Liberal party as part of a controversial outreach plan to woo so-called ethnic voters, B.C.’s information and privacy watchdog said in a report released this week. The findings come after an internal review into the ethnic outreach scandal conducted before the election by Premier Christy Clark’s deputy minister, John Dyble. That review found serious misconduct by public officials, the misuse of government funds and the deliberate use of private emails in a bid to win ethnic votes. Denham said she launched her own parallel investigation to “determine whether there was sharing of personal information between the government and the B.C. Liberal Party, and if there was, whether this sharing was authorized under provincial privacy law.” In her report Thursday, Denham found no contraventions of privacy laws, but did agree there were “significant issues with the handling of personal information that need to be addressed.” [Source]

CA – Canada Studies Britain’s ‘Nudge Unit’ for Ways to Give the Public a Push

It’s known as the “nudge unit,” because its mission is to “nudge” citizens into acting the way the government wishes they would. Pioneered in Britain, it is officially tagged with the 1984ish name Behavioural Insights Team – about a dozen policy wonks, mostly economists, who employ psychological research to subtly persuade people to pay their taxes on time, get off unemployment or insulate their attic. The goal: To make consumers act in their own best interests – and save the government loads of money. Now Canada is looking into this growing field of behavioural economics. Finance Canada documents obtained by The Globe and Mail through Access to Information show Michael Horgan, the deputy minister of Finance Canada, was recently briefed on the activities of the three-year-old British team, which has attracted interest from governments around the world. The Finance Department acknowledges there are potential ethical concerns when governments mix economics and psychology to nudge citizens into making specific choices, but concludes those concerns can be addressed with transparent policies. And there is a potential payoff: With an annual budget of just $1.6-million a year, officials say, the British unit has already saved its government $480-million. One project, which sent court fines by text message rather than by mail, dramatically reduced bailiff interventions and saved nearly $50-million. [Source]

E-Mail

EU – German Providers Tout Secure eMail Services

Just days after two US-based secure email providers shuttered operations in the face of government demands for data, German email providers have begun offering their own secure email services, in which SSL will be on by default. The providers, Deutsche Telekom’s T-Online and United Internet’s GMX and Web.de services, say they will send mail within the country through domestic servers only. However, the companies’ plans provide security only for messages in transit; they do not provide secure data storage. Despite Germany’s strong data protection laws, there are exceptions for security agency demands, and SSL can be intercepted and decrypted fairly easily. The technology media say the secure email tagline is nothing more than marketing. [ZDNet] [ArsTechnica] [NBCNews]

US – Secure eMail Provider Lavabit Shuts Down

Lavabit, the secure email server that Edward Snowden had been using, has shut down. The company’s owner, Ladar Levison, wrote that he had to decide between “becom[ing] complicit in crimes against the American people or walk[ing] away from nearly ten years of hard work.” Levison wrote that although he would like to be able to tell users what prompted his decision, he is not at liberty to disclose that information, leading to speculation that the company received a National Security Letter or a search or eavesdropping warrant. Another encrypted communications service, Silent Circle, has shut down its Silent Mail service, noting, “We see the writing [on] the wall, and we have decided that it is best for us to shut down Silent Mail now.” [WIRED] [The Register] [ArsTechnica]

NZ – Mega to run ‘cutting-edge’ encrypted email

Kim Dotcom’s Mega.co.nz is working on a highly-secure email service to run on a non-US-based server. It comes as the US squeezes email providers that offer encryption and Mega’s CEO calls Lavabit’s and Silent Circle’s shutdown an “honorable act of Privacy Seppuku.” Mega has been doing an “exciting” but “very hard” and time-consuming job of developing both highly-secure and functional email service. “The biggest tech hurdle is providing email functionality that people expect, such as searching emails, that are trivial to provide if emails are stored in plain text (or available in plain text) on the server side. If all the server can see is encrypted text, as is the case with true end-to-end encryption, then all the functionality has to be built client side,” he explained, adding that even Silent Circle did not try to achieve such a feat. According to the company’s founder Dotcom, Mega doesn’t hold decryption keys to customer accounts and “never will”, thus making it impossible for it to read the emails. This also means that Mega by design cannot be forced to rat on its users by intelligence agencies. However, Dotcom earlier told TorrentFreak that a new spy legislation being pushed by the US and its Five Eyes alliance partners – UK, Canada, Australia and New Zealand – may force Mega to relocate its servers to some country exempt from such jurisdictions, such as Iceland. [Source]

NZ – Email Privacy Breaches Inspire NZ Tech Tool

A Wellington tech company has responded to calls from the public sector by launching a new tool designed to prevent email privacy breaches. Several government agencies have already signed up to use the product, including the Financial Markets Authority (FMA) and Ministry of Primary Industries (MPI). Software developer Liverton Technology Group has developed a system called MailAdviser which works at the front end of Microsoft Outlook. Justin De Lille, chief executive of Liverton, said the tool prompts users to double-check messages and attachments when sending to an unsecured or public email address. [Source]

Electronic Records

WW – Exploring Computer-Manipulation of the Mind

Latest research into computer-brain interfaces and the possibilities of sending brain waves over the Internet. Potential uses for brain-computer interfaces include human interaction with computers and other mobile devices simply by thinking. In 2011, scientists published research on Decoded Neurofeedback , a process by which brain activity can be altered. Additionally, Duke University neuroscientist Miguel A. Nicolelis has successfully connected the brain activity of two rats over the Internet and conducted an experiment called a “brain net,” which allowed rats to share information over the web. Nicolelis said he believes humans will eventually be able to communicate over the Internet via brain waves. “I think this is the real frontier of human communication in the future,” he said. [The New York Times]

Encryption

WW – Tor Network Breached

The web anonymity service Tor announced that its network had been breached through a vulnerability in the Tor Browser, and that malicious JavaScript may have revealed the identities of those using the service. Tor allows web users to mask their browsing habits by sending data through onion routers to mask the original header information—including the user’s IP address. As a result, a hidden server network run by Freedom Hosting was taken offline. Freedom Hosting’s owner and operator Eric Eion Marques is currently being held without bail and awaits extradition by the FBI for allegedly distributing child pornography online. Based on the timing of the arrest and the insertion of the malicious code, some speculate U.S. investigators introduced the script. “There are lots of rumors and speculation as to what’s happened,” writes the Tor Project on its blog. “We’re reading the same news and threads you are and don’t have any insider information.” [Naked Security]

WW – Researcher’s Spy Boxes Pick Up Troves of Unencrypted Data

Security researcher Brendan O’Conner recently wondered how easy it would be to monitor—as a private citizen—the movement of strangers on the street. So he built 10 contraptions made of sensors, a tiny computer and Wi-Fi adaptors and proceeded to spy on himself. The data his contraptions collected sent signals to a command-and-control system and included the unique identifiers to his phone and iPad—in unencrypted fashion. “Actually it’s not hard,” O’Connor said. “It’s terrifyingly easy…It could be used for anything, depending on how creepy you want to be.” [The New York Times]

EU Developments

EU – EU Looks to Speed Up Privacy Reforms

The European Commission wants to quicken the pace of passing the proposed data protection regulation, which is currently held up in the European Parliament’s civil liberties committee. Commissioner for Justice Viviane Reding, who in July appealed to member states to place the bill on an EU summit in the fall, said, “I would find it helpful if the European Council in October, which will deal with the European single market, could address this matter and speed up the work in the council on this important file.” Hunton & Williams’ Bridget Treacy noted, “Over the past few months, there has been widespread discussion of a risk-based approach to data protection regulation and some detailed exploration of the key elements of such an approach under the Irish presidency.” EU lawmakers have said they want the reforms passed by May 2014. [EUObserver]

EU – Working Party Weighs In on Purpose Limitation and Big Data

The concept of purpose limitation is a cornerstone of the protection of personal data. It is an essential first step in applying data protection laws since it constitutes a prerequisite for other data quality requirements, contributes to transparency and legal certainty and sets limits on how controllers are able to use personal data. In this exclusive for The Privacy Advisor, Stefano Tagliabue, discusses the Article 29 Working Party’s opinion on purpose limitation and Big Data. [Source]

EU – U.S. Surveillance Spurs EU Efforts to Tighten Data Protection Rules

The EU has reacted to the U.S. National Security Agency surveillance program disclosures, including the determination by some, to enact the proposed data protection regulation by May of next year. German MEP Jan-Philip Albrecht said, “The importance has been made clear now with all these revelations, we need cross-border rules, European rules, to safeguard fundamental rights,” adding, “It makes the world more vivid.” Shearman & Sterling associate Hartmut Häselbarth said the May deadline is ambitious, but in the long run, American businesses with a presence in Europe “will most likely have problems in (the) future.” [The Wall Street Journal]

EU – Ukraine Amends Personal Data Protection Law

On July 3, the Ukrainian Parlaiment amended its privacy law effective January 1, 2014. The amendment will transfer the functions of the State Service of Ukraine on Personal Data Protection to the Ombudsmen, whom data controllers will be required to notify of the processing of “high risk” personal data. There have also been changes to notification periods and the definition of “consent” to data processing has been removed altogether. According to Lexology, “It remains unclear whether previously registered databases will need to be notified to the Ombudsman.” [Lexology]

UK – ICO Publishes PIA Code of Practice

The UK Information Commissioner’s Office (ICO) has published a consultation on a new privacy impact assessment (PIA) code of practice and released a study on PIA and risk management. The ICO first announced the study, conducted by Trilateral Research & Consulting, was underway back in January. The consultation states the new code of practice aims to “help organizations conduct assessments of new projects that involve the use of personal information. The code explains the key principles behind a PIA and suggests how a PIA can be integrated with an organization’s project and risk management processes.” [Source]

UK – ICO Publishes Regulatory Action Policy

The UK Information Commissioner’s Office (ICO) has published a Data Protection Regulatory Action Policy, outlining what the office will consider when deciding whether to initiate regulatory action. Noting that “market factors” may influence the decision, the policy points to some “initial drivers,” including issues of “general public concern,” those due to the “novel or intrusive nature of particular activities” and those stemming from complaints. When asked for clarity on “market factors,” an ICO spokesman said in markets where “consumers demand effective privacy protection…market forces will be driving businesses to deliver better privacy protection, without the need for the regulator to intervene.” [Out-Law]

EU – Italian DPA Releases Rules on Spam and Viral Marketing

The Italian Data Protection Authority (Garante) has released, earlier this month, a set of rules dealing with spam and viral marketing. The provision, named “Guidelines on Marketing Activities and Spam,” is intended to fight the abuses of marketing communications and to promote fair commercial practices towards users and consumers. [Full Story]

EU – French Supreme Court: Undeclared File Sale Is Void

The French Supreme Court’s has ruled that the sale of a file containing personal data that should have been declared with the French data protection authority, the CNIL, and was not must be cancelled. “Having noticed that this rule had not been complied with, the court found such a file to be illegal and unable to be subject to a convention under the French Civil Code,” the report states, noting the sale had to be considered void. “This ruling is particularly important in that it is the first time that the court has applied such reasoning,” the report states, noting it “reminds us of the importance of complying with the obligations attached to the handling of personal data…” [Lexology]

Facts & Stats

UK – ICO Publishes Breach Trends Statistics; Gov’t Leads List

In a recent Information Commissioner’s Office (ICO) blog post, Sally-Anne Poole says statistics indicate carelessness is the cause of much of the office’s enforcement business. The ICO uses statistics to help inform its response to incidents, Poole writes. The health and local government sector leads the list for data breaches, followed by schools and solicitors. The ICO has published a spreadsheet of its civil monetary penalties for the first quarter of 2013 so the public can see such trends. [Source]

US – Data Breaches from 2005 to Present Exceed 500 Million

From 2005 to present, there have been a reported 535,267,233 data records breached in the U.S.. That’s 1.7 times the U.S. population, and the number only reflects reported breaches. “Many, or perhaps most, of the breaches that have occurred over the past decade have no reported number of records associated with them. They’re designated as ‘unknown,’” the report states. Ken Hess writes that, if each record breached represents one account, “just about everyone who lives in the U.S. is at risk of having at least one part of his or her data hijacked from multiple sources. It also means that absolutely no one’s data is safe.” [ZDNet] See also: [High-tech toilet gets hacker warning; nothing is safe]

Finance

US – Senator Concerned About CFPB Data Collection

In a press release, Sen. Mike Crapo (R-ID) has raised privacy concerns about the collection of sensitive financial data by the newly created U.S. Credit Financial Protection Bureau. The ranking member of the Senate Banking, Housing and Urban Affairs Committee, Crapo is concerned about how data is being collected, how many accounts are being monitored, how the data is being used and how many safeguards are in place to protect the data. The Government Accountability Office has agreed to investigate the collection programs. “Recently, cases of privacy abuse” have reached the headlines, Crapo said, “and we now have a federal agency that is using unchecked power to gather data on the spending habits of hundreds of millions of Americans.” The senator plans to hold a press conference on the issue on Monday, August 12. [Source]

US – The Inaccuracies of Data Broker Dossiers

Forbes reports on the inaccuracies that are often found in dossiers compiled by data brokers. Amassing profiles on millions of Americans can be difficult because many people have the same names and can easily be mixed up, and in one example, that caused embarrassment. “Even with so many suppliers sucking up details of our personal transactions at every step and selling them to data brokers,” the report states, “errors plague the process.” The inaccuracy problem has received attention from the Federal Trade Commission (FTC). Earlier this year, FTC Commissioner Julie Brill gave a speech calling for a new policy, called Reclaim Your Name, which would provide consumers with avenues to check the accuracies of their profiles. Acxiom is reportedly working on an access feature.

FOI

CA – Alberta Privacy Commissioner Pushes For Even More Openness

Alberta needs to establish minimum standards to ensure that more government information is made freely available to the public without a fight, says the province’s information and privacy commissioner. That’s one of a series of recommendations made by Jill Clayton in her submission to the provincial government’s review of the Freedom of Information and Protection of Privacy Act (FOIP). Clayton said she wants a legislated requirement for public bodies to commit to “proactive disclosure” of information and minimize the need for formal access requests from citizens. “In my view, that should be sort of the avenue of last resort,” she said in an interview. “Public information should be available to the public.” Clayton said that Alberta has taken some positive steps lately, such as the mandatory expense disclosure policy for MLAs and senior civil servants introduced by the Redford government last fall. But she noted that a 2012 study of four provinces’ FOIP legislation by the Centre for Law and Democracy ranked Alberta’s the lowest. [Source]

CA – Disclosure changes considered for Saskatchewan MLAs

Saskatchewan’s Conflict of Interest Commissioner Ronald Barclay says discussions are underway regarding changing, for privacy reasons, some of what is publicly disclosed by MLAs. “In our legislation, we not only disclose the assets of the members and the spouses, but you also have to disclose the names of any dependent children and also the residences of where the members live,” Barclay said. In his most recent annual report, Barclay comments on requests he received from several MLAs asking whether the legislation related to those requirements should be amended for privacy reasons. “In all the other jurisdictions except ours, those are exempt. For a dependent child, you just put Child A, Child B, Child C and you wouldn’t have to list the addresses of the MLAs,” Barclay said. “I’m going to turn it over to the two caucuses and they’ll have to make a decision whether or not they want to amend the legislation.” The information would still need to be disclosed to the commissioner, but it wouldn’t become public, Barclay said. [Source] See also: [Manitoba: New rules may be needed for political parties asking personal questions: lawyer]

CA – No Privacy Concerns In Releasing Daycare Complaints

Ontario’s privacy commissioner says there are no privacy concerns that would prevent the government from releasing complaints against unlicensed daycares to the public. “My office recently spoke with the Ministry of Education and we clearly outlined that there are no privacy issues with releasing non-personal, business information regarding unlicensed daycare investigations or occurrences,” Ann Cavoukian wrote in a statement. [Source]

Genetics

US – Unprecedented Pact Reached With Lacks’ Descendants

In an unprecedented move, the National Institutes of Health (NIH) announced an agreement with the descendants of Henrietta Lacks, whose cervical cancer cells were taken without permission by scientists 62 years ago, giving them control over which biomedical researchers will gain access to the full genome data derived from her cells, MSNBC reports. NIH Director Francis Collins said it is an “historical agreement” that will “protect the family’s interest and also further their commitment to biomedical research.” In a column for Nature , Martin Bobrow writes on the “growing issue in modern science: access to biomedical and health-related research data.” [Source]

Google

WW – Google Defends Chrome’s Password Manager

A software developer was surprised to find that Google Chrome lets anyone with access to a computer see in plaintext passwords the browser has stored. Google has acknowledged this characteristic of the browser from the beginning and maintains that it is not a security flaw. Google explains that security “boundaries within the OS user account just aren’t reliable,” and the company “doesn’t want to provide users with a false sense of security” by supporting a security scheme, such as a master password, that doesn’t work. “When you grant someone access to your OS user account, they can get at everything.” [WIRED] [SCMagazine] [v3.co.uk] [CNET] [Developer’s Blog] [Google’s Response]

WW – Google: don’t expect privacy when sending to Gmail

People sending email to any of Google’s 425 million Gmail users have no “reasonable expectation” that their communications are confidential, the internet giant has said in a court filing. Consumer Watchdog, the advocacy group that uncovered the filing, called the revelation a “stunning admission.” It comes as Google and its peers are under pressure to explain their role in the National Security Agency’s (NSA) mass surveillance of US citizens and foreign nationals. [Source]

Health / Medical

US – Obamacare Privacy Safeguards “Way Behind”; Violations “Rampant”

The Office of the Inspector General of the Department of Health and Human Services (HHS) says the Obama administration has not set up adequate safeguards to protect U.S. citizens’ privacy under the law. The office says health data exchanges under Obamacare may expose private records to hackers and criminals. The healthcare plan mandates the creation of a “data hub,” accessible by seven different federal agencies, including the Internal Revenue Service, the Social Security Administration and the Department of Homeland Security. A spokeswoman for HHS said privacy safeguards are delayed by at least two months, with the exchanges slated to begin October 1. [Forbes]

US – HIPAA-Compliance Deadline Looms

In an article for National Law Review, Elizabeth Johnson of Poyner Spruill says one of the highest priorities for HIPAA-covered entities required to meet new aspects of the recently updated HIPAA rules is to update business associate agreements. That’s because the distribution, negotiation and execution process can be time-consuming, she writes. “With the compliance deadline only two months away, covered entities must focus efforts to ensure that all updates are complete and new training concluded prior to the September 23 deadline.” [Source]

Horror Stories

US – Alumni, Donors Notified of Breached Server

The School of Forestry and Wildlife Sciences at Alabama’s Auburn University has begun notifying an undisclosed number of alumni and donors that their personal information has been breached. The incident occurred when spreadsheets containing the individuals’ names, Social Security numbers and e-mail addresses, among other data, were mistakenly uploaded to a publicly available server. Meanwhile, a Texas lawmaker is taking action to ensure greater transparency when it comes to state agencies’ cyber threats. [eSecurity Planet]

US – Provider Announces Laptop Theft

California-based Retinal Consultants Medical Group has announced the theft of an unencrypted laptop containing protected health information, reports. The laptop, part of a diagnostic imaging machine, contained patients’ names, dates of birth and genders, among other information. The provider has notified affected individuals, encouraging them to monitor bank accounts and obtain credit reports; however, according to the notification, it is not aware of any access to or misuse of the data. [HealthData Management]

US – Healthcare Breach Affects 32,000

Cogent Healthcare is notifying approximately 32,000 patients in 24 physician groups it manages “that their personal health information may have been exposed online.” The report states that M2ComSys, a company Cogent Healthcare contracted to transcribe patient care notes for some of its physician groups, stored notes that included “patients’ names, birthdates, diagnoses, summaries of treatments, medical histories, medical record numbers and physicians’ names, on a website” that suffered a security lapse. “We are generally unable to identify who accessed the notes,” Cogent Healthcare has said. Those affected are being offered a free one-year membership in an identity protection service. [eSecurity Planet]

CA – Hospital Notifies 1,300 of Breach, Nurse Fired

A nurse has been fired by Canadian-based Norfolk General Hospital for unauthorized access to more than 1,300 patient records. An investigation revealed the nurse allegedly violated the Personal Information Protection Act multiple times dating back to 2004. Compromised data included patient names, health care numbers, dates of birth, contact information, doctor names and reason for visit. The organization has notified affected patients. A Vermont-based healthcare and hospice facility has also announced a breach and notified affected patients after an employee’s laptop was stolen. Meanwhile, Boston Public Schools will redesign student information cards after a hard drive, containing PDF images of 21,054 student IDs, was lost. [Brantford Expositor]

US – Airline’s Second Significant Breach in a Month

For the second time in the past 30 days, U.S. Airways has revealed it has suffered a breach of PII. As many as 7,700 customers may have been affected by the latest breach, which customers discovered when they noticed their frequent flyer miles were missing, and compromised data includes usernames, passwords, birth dates, addresses, security question answers and the last four digits of credit cards. The last breach involved employee data. U.S. Airways said it has restored “all mileage balances as quickly as possible” and will provide free identity-theft monitoring. [Source]

Identity Issues

WW – Twitter’s Two-Factor Authentication

Twitter has made changes to the two-factor authentication system it introduced in May, which used text messaging. The new login verification system for its mobile app uses the app itself to authorize account access instead of communicating through text messaging, which can be less than trustworthy. Users who want to update to the new authentication system need only update their mobile twitter apps. Attempted logins will provide rough locations and information about the browser being used. Twitter acknowledges that two-factor authentication is a work-in-progress and says it will continue to improve the process. [ZDNet] [ArsTechnica] [WIRED] [NBC News]

US – The Inaccuracies of Data Broker Dossiers

Forbes reports on the inaccuracies that are often found in dossiers compiled by data brokers. Amassing profiles on millions of Americans can be difficult because many people have the same names and can easily be mixed up, and in one example, that caused embarrassment. “Even with so many suppliers sucking up details of our personal transactions at every step and selling them to data brokers,” the report states, “errors plague the process.” The inaccuracy problem has received attention from the Federal Trade Commission (FTC). Earlier this year, FTC Commissioner Julie Brill gave a speech calling for a new policy, called Reclaim Your Name, which would provide consumers with avenues to check the accuracies of their profiles. Acxiom is reportedly working on an access feature. [Source]

WW – Microsoft Researchers Develop 3D Passive ID Tags

Engineers in Microsoft’s research division have developed an automatic-identification technology known as InfraStruct, using passive tags operating in the terahertz (THz) band. Instead of encoding data onto a silicon chip, as is typically the case for passive RFID tags operating in the low-frequency (LF), high-frequency (HF) or ultrahigh-frequency (UHF) radio frequency (RF) bands, the InfraStruct system involves building a unique shape or hollowed section directly into a structure, with an ID number or other data physically represented in that shape or section. The InfraStruct concept, still in the prototype stage only, includes a unique method of building a tag into a three-dimensional printed plastic object, as well as a terahertz scanner that transmits an optical-like radiation into the item that is reflected back to the scanner. Software then measures the response of the reflection received, thereby identifying the unique item based on that measurement. [Full Story]

Internet / WWW

US – Apple updates App Guidelines with Eye On Children’s Privacy

Apple has tweaked its guidelines for app developers to emphasize the latest rules regarding children’s privacy. The guidelines have been updated to reflect the latest changes to the Children’s Online Privacy Protection Act (COPPA) and Apple’s renewed focus on education with iOS 7. In the past, COPPA prevented developers from gathering the names, addresses, and phone numbers of children under 13 without parental consent. Since the start of the year, those restrictions have extended to photographs, videos, and audios as well. The specific guidelines now read as follows:

17.3 Apps may ask for date of birth (or use other age-gating mechanisms) only for the purpose of complying with applicable children’s privacy statutes, but must include some useful functionality or entertainment value regardless of the user’s age.

17.4 Apps that collect, transmit, or have the capability to share personal information (e.g. name, address, email, location, photos, videos, drawings, persistent identifiers, the ability to chat, or other personal data) from a minor must comply with applicable children’s privacy statutes.

As part of its new emphasis on the educational market, Apple also updated its guidelines with a new section known as “Kids Apps.” Children under 13 will now be able to have their own individual iTunes accounts. But developers who design apps for kids must follow certain rules, such as including a privacy policy, excluding behaviorial advertising, and requiring parental consent before letting children “link out of the app or engage in commerce.” [Source]

WW – Facebook Posts Online Privacy, Safety Guide

Facebook has posted a new guide for survivors of domestic abuse, detailing steps to protecting safety and privacy while still being able to connect with family and friends on the social network. Facebook teamed with the National Network to End Domestic Violence to come up with the guidelines, which can be found at the Facebook Family Safety Center, facebook.com/safety. Some might suggest that using a fake profile name or not even using the social network at all may be the best course of action. But in most cases, neither is true, Southworth said in an interview during a break in the group’s three-day technology safety summit in San Jose. “It’s not acceptable to tell survivors of domestic violence just to give up their technology,” she said. “What she really needs is that he not able to contact her and if he does, that he is held accountable.” A domestic abuser often tries to gain power and control by isolating the victim from friends and family, she said. “One of the things we advocate is to rekindle connections with friends and family and jobs,” she said. “Some of that can be through Facebook, some of that can be through in-person activities. We don’t think any victim needs to choose to be offline.” Although a small number of survivors might need to change their identities, she said the group is not recommending that course of action as much as before because of it also brings on unintended consequences, such as the loss of a person’s credit history or a nursing license needed to work. And when there’s a legal protective order preventing contact, repeated Facebook posts by the abuser could provide the “compelling digital evidence” needed to convince an officer or judge of a violation, she said. The “Guide for Survivors of Abuse” is generally applicable to any Facebook member to make sure they protect their online privacy and safety, even in a publicly social world. The guide also advises caution when accepting a new friend request. “Unfortunately, some abusive individuals use clever tactics to gain access to a victim’s information,” the guidelines said. “In some instances, abusive individuals maliciously create accounts impersonating a friend of the person they want to connect with.” [Source]

Law Enforcement

US – FBI Employing Hackers’ Techniques

U.S. law enforcement officials are “expanding the use of tools routinely used by computer hackers to gather information on suspects.” Law enforcement calls the practice, which includes remotely activating Android microphones to record conversations on cellphones or on laptops and hiring hackers themselves, “going dark.” The ACLU says there should be legal guidelines on how such hacking tools can be used. A spokesperson for the Justice Department said it makes decisions regarding legal authority to conduct surveillance on a case-by-case basis. [The Wall Street Journal] See also: [Yukon Mounties to star in their own reality show, raising privacy concerns] See also: [License plate scanning: The inside story of a cop who tracks our data] and also: [Predictive policing: Don’t even think about it]

US – NYPD Agrees to Purge Stop-Frisk Databank

The Bloomberg administration has agreed under a settlement announced to purge a New York City Police Department database containing personal information on individuals who were stopped by authorities, and also agreed to pay $10,000 to the lead plaintiff in a putative class action. Christopher Dunn, associate legal director of the New York Civil Liberties Union and lead counsel in the case, said in an interview that hundreds of thousands of names of innocent individuals will be erased from the NYPD database as a result of the settlement.  Legislation signed in 2010 by Governor David Paterson barred the NYPD from retaining stop-and-frisk data when the individual questioned was let go without an arrest or summons (NYLJ, July 19, 2010). But the legislation did not require expunging information on cases where the target was arrested or issued a summons, even if the charge was ultimately dismissed, leaving the city with a partial investigatory tool. On behalf of Lino and Khan and several hundred thousand other citizens, the NYCLU brought a class action arguing that the records should also be expunged. Acting Supreme Court Justice Barbara Jaffe dismissed the case for lack of standing, but she was reversed by the Appellate Division, First Department (NYLJ, Dec. 21). The appeals court revived the plaintiffs’ case, resulting ultimately in the settlement.  [New York Law Journal]

US – IRS Manual Detailed DEA’s Use of Hidden Intel Evidence

Details of a U.S. Drug Enforcement Administration program that feeds tips to federal agents and then instructs them to alter the investigative trail were published in a manual used by agents of the Internal Revenue Service for two years. The practice of recreating the investigative trail, highly criticized by former prosecutors and defense lawyers after Reuters reported it this week, is now under review by the Justice Department. Two high-profile Republicans have also raised questions about the procedure.  [Source]

Location

CA – Live Traffic Map Uses Vancouver Drivers’ Cellphone Data

Drivers in the Vancouver area are unknowingly helping to track traffic congestion, as their cellphone GPS signals are being automatically fed into a new online traffic map. TransLink, Transport Canada and B.C.’s Transportation Ministry have unveiled an online, colour-coded traffic map of the Lower Mainland with real-time updates that indicate areas of congestion. “It tracks your cellphone signals, and based on that, it directs that data online,” said TransLink spokeswoman Jiana Ling. Ling said TransLink does not receive any personal data from cellphone signals and that all personal information is “scrambled and anonymized” before it is pushed to the map. “Cellphone signals within the telecom network gets picked up and stripped off of any personal information at the source,” Ling said in an email statement to CBC News. “TransLink’s data provider then processes the anonymous cellphone signals through a specialized algorithm. This algorithm generates the average speed of commuters on the road network and TransLink posts this information online. The algorithm can only generate the average speed of the road network, it cannot identify the travel patterns of any specific cellphone user.” But Tom Keenan, an online security expert at the University of Calgary, questions how secure the software is. “If they did a good job, the hackers will walk away and say, ‘We can’t get anything.’ If they did a bad job, you can be rest assured that your Uncle Charlie is going to be tracked on the freeway.” Micheal Vonn, policy director for the BC Civil Liberties Association, said TransLink failed to commission a privacy impact assessment for the map, something it is legally bound to do. “In the rush to use these new technologies, the obvious steps for consideration around privacy and security have been missed,” Vonn said. Ling said TransLink conducted an internal review and decided a privacy assessment was not required since the data it receives does not contain any personal information. [Source]  See also: [ON: Desjardins tests device that will monitor drivers’ habits]

US — “Spoofers” Use Fake GPS Signals to Knock a Yacht Off Course

University of Texas researchers recently tricked the navigation system of an $80 million yacht and sent the ship off course in an experiment that showed how any device with civilian GPS technology is vulnerable to a practice called spoofing. Led by GPS expert Todd Humphreys, the researchers used a handheld device they built for about $2,000. It generates a fake GPS signal that appears identical to those sent out by the real GPS. The two signals reach the targeted system in perfect alignment. The strength of the fake signal slowly ratchets up and overtakes the real one. The yacht’s captain offered up his boat for the experiment after seeing Humphreys give a presentation at this year’s SXSW conference. The takeover took place in June while the boat was traveling in the Mediterranean off the coast of Italy. From a perch onboard the yacht, the spoofing researchers shifted the ship’s course three degrees to the north. They also convinced the yacht’s GPS system that the boat was underwater. [Source]

WW – Kids’ App Prevents Tracking and Targeting

A mobile app developer has released a new iOS app that aims to prevent web-browsing data and other in-app activity from being shared with third parties, Broadway World reports. Disconnect Kids also includes an educational function to introduce children and parents to online privacy issues. Features include a mobile tracking blocking function, a comic book discussing online tracking and targeting and two animated videos to help children and parents understand and control their personal data. [Source]

Offshore

WW – IBM Gets Certified Under APEC Privacy Rules

IBM has announced it has achieved certification under the Asia-Pacific Economic Cooperation (APEC) Cross-Border Privacy Rules (CBPR), the first company to do so, according to a press release. The CBPR system is designed to facilitate data flows between the U.S. and the other APEC member economies, through voluntary, enforceable codes of conduct. IBM Chief Privacy Officer Christina Peters said, “CBPR rules will become the foundation of a globally accepted system that enables data to be shared throughout different regions with strong and trustworthy privacy protections.” Hogan Lovell’s Partner Christopher Wolf told The Daily Dashboard, “APEC CBPRs, containing enforceable commitments for the protection of personal data, are a lot like BCRs (binding corporate rules) that the EU recognizes as sufficient for cross-border transfers. Their adoption and effectiveness suggests that the EU should move its focus from the adequacy of the U.S. legal framework to whether personal data is being adequately protected through mechanisms like the CBPRs.” [IBM Press Release]

CN – China Issues Regulation on Collection and Use of Personal Data

On July 16, 2013, China’s Ministry of Industry and Information Technology (“MIIT”) promulgated the Provisions on Protecting the Personal Information of Telecommunication and Internet Users (“Internet Provisions”).  The Internet Provisions, which take effect September 1, 2013, provide specific implementation rules for telecommunication and internet information service provider’s (“TSPs” and “IISPs,” respectively) collection and use of “user’s personal information,” based on a more generally addressed national law protecting “personal electronic information” issued in December 2012 and entitled Decision of the Standing Committee of the National People’s Congress on Strengthening Online Information Protection (see our previous client alert here). In its final form, the Internet Provisions reiterate most of the specific provisions relating to the collection and use of a user’s PI found in the draft for public comment (see our previous client alert on the draft here).  Now binding, these provisions require TSPs and IISPs to: • Post PI collection and use policies at their place of business or online; • Not collect or use a user’s PI without the user’s consent; • Notify users regarding collection and use of PI, including the purpose, method, and scope of use, as well as avenues for the user to consult or amend the information, and the consequences if a user fails to provide the required information.  (Notably, the final version of the Internet Provisions states that its rules regarding user notice and consent will supersede any other law or regulation on this point, which would appear to include the December 2011 promulgated Several Provisions on Regulating the Market Order of Internet Information Systems.) • Maintain strict confidentiality of a user’s PI; not disclose, distort, or damage a user’s PI; and not sell or illegally provide PI to others; and to • Provide company contact information so that users may provide feedback, and to resolve any complaints lodged by customers within 15 days.

The Internet Provisions also provide that in circumstances in which a TSP or IISP entrusts a third party with PI for the purposes of providing “direct services” to the user, the TSP or IISP should “supervise and manage” the third party’s utilization of the PI and not entrust PI to any third party unable to meet the PI protection requirements set out in the Internet Provisions.

PI Storage and Handling Security Requirements: Significantly, the Internet Provisions mandate the adoption of eight internal security measures in order to avoid disclosure, loss, damage or distortion of a user’s PI, including requirements to: • Establish an internal safety management system and associated workflows for the collection and use of a user’s PI and other related activities, and to confirm the related responsibilities for protecting PI within each department, branch, and position in an organization; • Limit access by employees and agents to data, and carry out supervisory activities over bulk export, reproduction, or deletion of PI, and to adopt necessary measures to protect against unauthorized disclosure; • Guarantee appropriate storage and security measures for the protection of storage devices containing PI; • Conduct access checks for systems containing users’ PI, and adopt anti-virus and anti-intrusion measures; • Record the details for any individual’s handling of a user’s PI, including such information as the time and place of system access; and • Implement telecom security precautions in accordance with relevant MIIT regulations regarding network security.

The Internet Provisions also strengthen government inspection rights by permitting government authorities to conduct “supervisory inspections” that may include requests for all “related materials” as well as permission to enter the facilities of any TSP or IISP to investigate compliance efforts. [Source]

Online Privacy

US – Mayer Resigns from DNT Group

Stanford’s Jonathan Mayer has resigned from the working group tasked with creating a Do-Not-Track standard for the Internet. “We do not have a credible timetable—and we’ve just adjourned for a month. We do not have a definitive base text. We do not have straightforward guidelines on what amendments are allowed…This is not process: This is the absence of process,” he wrote. Mayer’s resignation comes on the heels of his comments in June indicating that if the group could not reach consensus in the month that followed, it would be time to “call it quits.” [GigaOm]

WW – Twitter Retargeting Service Gets Advocate Approval

The Guardian reports on what Twitter’s new retargeting advertising service may mean for user privacy. Users “won’t see more ads on Twitter, but they may see better ones,” the company told its users. While some privacy advocates have scrutinized the plan, others say Twitter’s approach is admirable given its adherence to “Do Not Track” settings and its easy opt-out. The Electronic Frontier Foundation says other companies should follow Twitter’s lead: “We think Twitter is setting an important example for the Internet: It is possible to exist in an ecosystem of tailored advertisements and online tracking while also giving users an easy and meaningful opt-out choice.” [Source]

Other Jurisdictions

NZ – NZ Websites Fall Down On Data Privacy

The Privacy Commissioner says New Zealand websites and apps need to do a better job of telling users what they are doing with people’s information and how secure that information is after nearly a third were found to have flawed privacy measures. Commissioner Marie Shroff made the comments in response to a global survey of sites, including New Zealand examples, which found a large proportion had no privacy policy, an inadequate policy, poor contact information or other concerns. They included websites or apps for schools, legal firms, and retailers. The Global Privacy Enforcement Network sweep of websites checked the transparency of 393 New Zealand sites. The survey found that 125 sites or apps did not have a privacy policy or an equivalent – a finding which Ms Shroff said was disappointing. [Source]

AU – Australia Gunning to Become World Leader in Big Data Analytics

The Australian Government Information Management Office has released its Public Service Big Data Strategy that aims to “position Australia as a world leader in the public sector use of Big Data analytics to deliver service-delivery reform, better public policy and protect citizens’ privacy.” The report discusses Big Data’s role in improving the targeting of services and the ability for businesses to offer more tailored services in accordance with individual and community needs, but it also notes privacy concerns that must be addressed before full benefits are realized. Agencies must develop better practices when it comes to cross-agency data sets and data deidentification, for example. [ZDNet] See also: [Czech Republic: Big Data, Big Deal?]

AU – Provision Could Label Data Transfers as Breaches

A provision in Australia’s proposed data breach notification legislation “could deem the unauthorised transfer of data from Australia to another country a breach.” In an interview, Françoise Gilbert notes, “Europe has been the most adamant at trying to curb the exodus of information outside of Europe without the proper measures…Australia is sort of following this trend and becoming much more serious about the cross-border data transfers.” The proposed law also calls for a requirement for organisations to notify stakeholders in the event of a breach. [GovInfoSecurity]

Privacy (US)

US – House Committee Creates Privacy Working Group

The U.S. House Commerce, Manufacturing and Trade Subcommittee has created a bipartisan privacy working group to focus on online privacy. With Reps. Marsha Blackburn (R-TN) and Peter Welch (D-VT) as its chairs, the working group will also include Reps. Joe Barton (R-TX), Pete Olson (R-TX), Mike Pompeo (R-KS), Jan Schakowsky (D-IL), Bobby Rush (D-IL) and Jerry McNerney (D-CA). Blackburn said the working group will “seek opportunities where Congress can forge bipartisan agreement to better protect consumers’ sensitive information and foster U.S.-based innovation,” while Welch added that given advancements in technology, it is “more important than ever that we make sure the consumer’s right to privacy is protected.” [Broadcasting & Cable]

US – Judge Rules Apple Can’t Dismiss Class-Action

A federal judge has ruled that Apple cannot dismiss a class-action alleging it let third parties upload user information from applications on their mobile devices. The judge said lead plaintiff Maria Pirozzi was able to make a “causal connection” between statements Apple made about the iPhone and the safety of its apps and her loss, the report states. “Plaintiffs alleged loss is clear: Apple claimed that apps could not access data from other apps…in actuality they can and have.” [ Courthouse News Service]

US – Judge Dismisses Privacy Claim Against Neighborhood Photographer

New York State Court Judge Eileen A. Rakower has dismissed a claim against photographer Arne Svensen that alleged invasion of privacy. Svensen is a photographer who took photos of his neighbors through their windows, without their knowledge, and displayed the images in an art show. Rakower said the photos are protected under the First Amendment. New York’s civil rights laws “yield to an artist’s protections under the First Amendment under the circumstances presented here,” Rakower wrote. [Photo District News]

US – Court: Vehicle Records Must Be Reasonably Cared For Before Resale

A U.S. Court of Appeals has ruled that companies that resell personal information from motor vehicle records are subject to a “duty of reasonable care before disclosing such information pursuant to the Driver’s Privacy Protection Act (DPPA).” The court ruled on July 31 in Gordon v. Softeach Int’l that “Given the nature of information available through motor vehicle records—e.g., Social Security number, medical or disability information and home address—the DPPA’s purpose would be severely undermined if resellers’ disclosures were not subject to a duty of reasonable inquiry.” [Bloomberg BNA]

US — Chief Justice Roberts Underscores the Issue of Privacy

Chief Justice of the U.S. Supreme Court John G. Roberts Jr. says privacy will be the biggest constitutional issue facing the court for years to come. Among the privacy questions that courts have considered:

  • Can police attach a GPS device to the vehicle of someone they want to track without first obtaining a warrant? In a ruling early last year, the Supreme Court said no. To do so is a violation of the expectation of privacy and, thus, of the Fourth Amendment.
  • Can police take DNA samples from those arrested, but not convicted, of serious crimes? The Supreme Court said yes, in a ruling this spring.
  • Are personal emails protected by federal privacy laws, such as those that cover traditional mail? Different courts have reached different conclusions. In April, the Supreme Court refused to take up the case. So who knows?
  • Can police search cellphone data of people they have arrested? Again, courts have issued different rulings. The Supreme Court has not considered the issue yet.

Other issues:  Can employers demand to see the private Facebook accounts of job applicants? Can they discipline employees for what they say on social media? Questions such as these have developed quickly over the past 10 to 20 years and there is no reason to think the pace of change will slow down, such is the rapidity with which technology continues to evolve. The courts can barely keep up, which helps explain Roberts’ view of the issue. These are important, bedrock issues that will continue to work their way through the courts for decades to come. That is not simply an issue for judges, but for presidents, senators and, at root, voters. [Source]

RFID

UK – London’s Bins Are Tracking Your Smartphone

A UK-based authority has called for the end of WiFi tracking by recycling bins placed across London. The “pods” feature LCD screens that show advertisements to passersby, but can also record smartphone movements and other details. The City of London Corporation (CLC) has alerted the Information Commissioner’s Office of the bins, which have allegedly recorded the details of 4,009,676 devices from pedestrians in one week. “Irrespective of what’s technically possible, anything that happens like this on the streets needs to be done carefully, with the backing of an informed public,” the CLC said. Financial Times reports the company behind the bins says there is potential to help companies predict “personal habits” of consumers. [The Independent]

UK – City of London Bans Wi-Fi Tracking Trash Bins

The City of London Corporation has asked a company called Renew London to stop using devices embedded in trash bins to gather data from and track smartphones. The high-tech trashcans play advertisements on an integrated flat-screen. The devices in the bins log smartphones’ media access control (MAC) addresses. There are presently 12 tracking devices installed in recycling bins around the city. A statement from the UK Information Commissioner’s Office (ICO) reads: “Any technology that involves the processing of personal information must comply with the Data Protection Act,” and noted that it “will be making enquiries to establish what action, if any, is required.” Renew London has suspended trials of the tracking program. [BBC] [ArsTechnica] [The Register] [v3.co.uk] [ArsTechnica]

Security

US — White House Lists Incentives to Adopt Cyber Security Framework

The White House has compiled a list of incentives that it hopes will encourage private sector companies, especially those that support elements of the country’s critical infrastructure, to adopt practices described in the Cybersecurity Framework. The incentive areas include cybersecurity insurance, grants, and liability limitation. [SCMagazine] [CNET] [ComputerWorld] [Whitehouse.gov]

US – Survey: CIO, CISO Not Part of Insurance Decision

A new survey conducted by the Ponemon Institute reveals that approximately one-third of businesses and public-sector organizations purchase cyberinsurance, but chief information officers and chief information security officers often have “very little influence” in the purchase decision. Among the 638 U.S. organizations canvassed, there is “still a lot of skepticism about whether such insurance is worth the cost,” the report states. [Network World]

Surveillance

US – NSA Is Casting “Far Wider Net” Than Previously Disclosed

While the NSA has publicly acknowledged collecting and searching the contents of Americans’ digital communications without a warrant, it was previously understood that only conversations between Americans and targeted foreign nationals were collected and searched. Now, reports The New York Times, the documents released by Edward Snowden reveal that any communication that crosses the border and even mentions a piece of information connected to a suspect is being collected and searched. The NSA says this practice is legal under the 2008 FISA law. An anonymous senior intelligence official told The Times the NSA “makes ‘a clone of selected communication links’” to gather the information. NSA officials have publicly denied this practice in the past. The ACLU and other organizations are calling this “precisely the kind of generalized spying that the Fourth Amendment was intended to prohibit.” [New York Times] See also: [How A ‘Deviant’ Philosopher Built Palantir, A CIA-Funded Data-Mining Juggernaut] and also: [How Big Data Could Help Identify the Next Felon — Or Blame the Wrong Guy]

US – Obama Meets with Tech Biz; Snowden’s E-mail Provider Shuts Down

President Barack Obama met with CEOs from Apple, AT&T and other U.S.-based technology companies to discuss government surveillance, just days after meeting with privacy advocates, POLITICO reports. On the same day, officials from the FBI, CIA and NSA spoke about cybersecurity, and e-mail service provider Lavabit —which offered high-level encryption services and was reportedly used by whistleblower Edward Snowden—announced it was immediately shutting down its service. Lavabit owner and operator Ladar Levison said it was a “difficult decision: to become complicit in crimes against the American people or walk away” from his company. He added the experience has taught him that “without congressional action or a strong judicial precedent, I would_strongly_recommend against anyone trusting their private data to a company with physical ties to the U.S. government.” Snowden said U.S. tech companies “must ask themselves why they aren’t fighting for our interests (in) the same way.” Additionally, Silent Circle announced it was shutting down its encryption e-mail service. [The New York Times]

WW – Satellite Technology a Boon for Business

The New York Times reports on affordable miniature satellites that will soon be orbiting Earth and sending back frequent, low-cost snapshots from space. The data captured from such technology will be valuable, one expert says, perhaps used by insurance companies to take “before” and “after” views of insured property to validate claims, for example. But some may not be so excited about such surveillance, said New York University Prof. Mitchell Stephens, calling the satellite’s pictures “a Godlike view, looking down from the heavens.” [Source]

UK – CCTV Code of Practice Comes Into Force After Privacy Concerns

The Home Office has introduced a CCTV code of practice to try to curb the excessive use of cameras for surveillance by increasing numbers of private and public sector organisations. However, there is no enforcement of the code and no fines for breaking it.The code, set out by the Home Office earlier this year, acknowledges that CCTV can be vital to security and surveillance, but said it must have a “legitimate aim” and be “compliant with any relevant legal obligations”. In particular, concerns have grown over recent years over the way CCTV is being used for excessive monitoring, such as in taxis, which was deemed illegal by the Information Commissioner’s Office last year. The code states: “This code has been developed to address concerns over the potential for abuse or misuse of surveillance by the state in public places, with the activities of local authorities and the police the initial focus of regulation.” To try and enforce this there are 12 points that CCTV operators must follow that cover a range of issues, from use to data retention and the ability to contact the people running the cameras to access information. [Source]

Telecom / TV

WW – Android 4.3 Keeps WiFi On, Even When It’s “Off”

The latest version of the Android operating system comes with a new feature that some technologists are drawing attention to: Even when a user switches WiFi access off, the device will continue to scan for WiFi networks. This is done “for providing better location information to apps.” However, there is a way to disable this functionality, which is detailed in the article. WPIX, a television station in New York, notes this default setting is raising privacy concerns [ValueWalk] See also: [Baby monitor hacked, spies on Texas child] And also: [Is Advising Clients To Clean Up Social Media After Filing a Lawsuit Questionable? ]

US Government Programs

US – NSA to Create Full-Time Privacy Officer; Obama Proposes Changes

In his first news conference since April, President Barack Obama defended the National Security Agency (NSA) surveillance programs, called for more transparency along with a task force charged with reporting on the programs and proposed four changes to the existing programs. Obama said the NSA will create a full-time privacy and civil liberties officer. The White House released a 22-page whitepaper defending the domestic collection of phone metadata, and the NSA also released a seven-page document detailing its role and authority. [The New York Times]

US – NSA Plans to Eliminate System Administrators

In an effort to reduce the risk of information leaks, the US National Security Agency (NSA) plans to get rid of 90 percent of its contracted system administrator positions. NSA Director General Keith Alexander said that the agency plans to move to an automated cloud infrastructure. Speaking on a panel along with FBI Director Robert Mueller at a security conference in New York, Alexander referred to the recent revelations about the scope of NSA surveillance, noting that “people make mistakes. But … no one has willfully or knowingly disobeyed the law or tried to invade … civil liberties or privacy.” [NBC News] [ArsTechnica] [The Register]

US Legislation

US – SB 1386 10 Years Later and the Path Forward

“Whether or not you view the passage of California’s SB 1386 data privacy law in 2003 as a watershed moment in the information security world, few can argue that its enactment significantly changed the infosec playing field,” writes Randy Sabett for Search Security. Sabett predicts that the trend started by SB 1386 “of increasingly proactive and granular state data privacy laws will continue to evolve” by focusing on the obligations of stakeholders—mainly those that are collecting the data, and he also expects to see federal privacy legislation. “For now though, it seems that there are too many stakeholders with varied interests to get an ‘omnibus-style’ bill on the books.” [Source]

US – Ohio Case Demonstrates Danger in BYOD Policies

JDSupra Law News analyzes the recent case in the Northern District of Ohio demonstrating the tension between employer control and employee privacy when it comes to bring-your-own-device (BYOD) policies. In Lazette v. Kulmatycki, an employer read the personal e-mails of a former employee after she turned in her Blackberry device, thinking she’d deleted the account. The employer was found to be at fault, but prosecutors had to stretch a bit to convict him under existing laws. “At a macro level, this case should be a warning to employers to continue to be careful with personal information in a BYOD environment,” the report states. “The potential liability for employers could be significant.” [Source]

US – Vote Delayed on E-Mail Warrant Bill

The Hill reports on the delay in “a vote on legislation that would require police to obtain a warrant before accessing e-mails and other online messages.” Senate Judiciary Committee Chairman Patrick Leahy (D-VT) had pressed for a vote prior to the August recess, “but at least one Republican objected to the bill,” resulting in the delay, the report states. If passed, the legislation will limit law enforcement’s ability to access private online messages. Currently, the Electronic Communications Privacy Act of 1986 only requires a subpoena to require Internet companies to provide access to such communications if they have been opened or are more than 180 days old. [Source]

US – Will Congress Legislate Glass?

In a world where laws are constantly playing catch-up with technology, Google Glass offers a possibility for preemptive legislation. Four states have introduced laws to ban Google’s wearable computer Glass while driving; casinos and healthcare facilities are also beginning to ban it; it’s not allowed in the Speaker’s Lobby of Congress, and now Congress is trying to figure out what to do about the privacy and legal issues surrounding the device. All before it’s even available for public consumption. [Politico]

US – New Jersey Bill To Allow Warrantless Cellphone Searches Contested

Proving illegal cellphone use was the cause of a car crash can be difficult for law enforcement. So one New Jersey lawmaker aims to make the process easier by proposing legislation that would allow police to search through a driver’s cellphone after a crash without a warrant. Sen. James Holzapfel (R-Ocean) proposed the legislation in June, but privacy advocates have called it unconstitutional. “We’re entitled to have a zone of privacy, and just because technology threatens to pierce that zone of privacy…doesn’t mean we should give up our constitutional protections,” said a trial lawyer and privacy expert. [Source]

US – Court: Gov’t Doesn’t Need Search Warrant for Location Data

A federal appeals court has decided that government authorities can extract historical location data directly from telecommunications carriers without a search warrant. The court ruled that such searches are constitutional because location data is a “business record” and so is not protected by the Fourth Amendment, the report states. The decision could have implications for other government initiatives to collect metadata under the premise that it constitutes a business record. “It doesn’t make it a slam dunk, but it makes a good case for the government to argue that position,” said one expert. This follows a decision Monday on the searches of cell phones in general where judges said they believe it’s a matter for the Supreme Court. [the New York Times]

US – Appeals Judges: Supreme Court Should Decide Cell Search Case

Following the First U.S. Circuit Court of Appeals’ decision Monday not to rehear a case involving whether warrants are needed to search cell phones, “two First Circuit judges said they voted against rehearing the case in order to speed its path to the U.S. Supreme Court.” In May, the Appeals Court decided 2-1 that Boston police needed a warrant to search a suspect’s cell phone, and earlier this month, Justice Department lawyers asked the court to rehear the case. “Ultimately this issue requires an authoritative answer from the Supreme Court, and our intermediate review would do little to mend the growing split among lower courts,” wrote Judge Jeffrey R. Howard, and Chief Judge Sandra Lynch wrote, “The preferable course is to speed this case to the Supreme Court for its consideration.” [The Wall Street Journal]

US – Fifth Circuit Decision “Doomed” at SCOTUS Level

Mark Joseph Stern contends that this week’s Fifth Circuit Court of Appeals decision that authorities do not need warrants to extract historical location data from cell phones “is doomed at the Supreme Court” level. “The Fifth Circuit’s cellphone ruling is almost certain to be reversed in the near future, barring a dramatic change of heart from one of the Supreme Court’s privacy lovers,” he writes. Meanwhile, TIME takes a look at five recent privacy cases in a report examining how the Supreme Court defines the right to privacy. [Slate]

US – Sen. Leahy Introduces FISA Privacy Act

Senate Judiciary Chairman Patrick Leahy (D-VT) has introduced legislation to reform America’s surveillance powers. The FISA Accountability and Privacy Protection Act of 2013—which is cosponsored by nine additional senators—would narrow the scope of Section 215; allow for judicial review of “gag orders” provisions; move up the FISA Amendments Act sunset clause by two years; require the inspector general of the intelligence community to conduct a comprehensive review of the current law and its impact on citizens’ privacy, and mandate the release of an unclassified report for the public on the impact of the surveillance programs on individual privacy, the report states. The Senate Judiciary will host a hearing on privacy and the NSA disclosures on Wednesday. [Slate]

US – Franken Introduces Surveillance Transparency Act of 2013

Sen. Al Franken (D-MN) has introduced a bill that would require more transparency around government collection of broadband and phone info. “The Surveillance Transparency Act of 2013 would expand and improve ongoing government reporting about programs under the PATRIOT Act and Foreign Intelligence Surveillance Act that have been the subject of controversy in recent weeks,” said Franken’s office in its announcement. [Multichannel News]

US – Senators Seek Changes to FISC, Section 215

Sen. Richard Durbin (D-IL) said changes to foreign intelligence surveillance court proceedings are needed and proposed adopting “a real court proceeding” to approve wiretapping requests, The Wall Street Journal reports. “Let’s have an advocate for someone standing up for civil liberties to speak up about the privacy of Americans when they make each of these decisions,” Durbin said, along with proposing the release of redacted FISA court transcripts. In a special to The Washington Post, Sens. Mark Udall (D-CO) and Ron Wyden (D-OR) urge the White House to “end the bulk collection of Americans’ phone records and instead obtain information directly from phone companies, using regular court orders based on individual suspicion.” The prevailing sentiment, The New York Times reports, is that momentum is building in Congress to alter NSA surveillance. [ABC’s This Week]

US – Senate Strongly Presses NSA; Bills Introduced; Classified Docs Released

At a recent Senate Judiciary Committee hearing senators from both sides of the aisle pressed representatives from the National Security Agency (NSA), Office of the Director of National Intelligence (ODNI), Federal Bureau of Investigation and Justice Department over surveillance programs, particularly the provision allowing for the dragnet collection of Americans’ phone metadata. Committee Chairman Patrick Leahy (D-VT), on several occasions, expressed deep concern about the amount of Americans’ data being collected under Section 215. A number of senators said they were introducing legislation to narrow the scope of the collection of phone metadata. Obama administration representatives said they were willing to “reevaluate” the program. [The Privacy Advisor ]

US – FTC Updates COPPA FAQs

The FTC has updated its Frequently Asked Questions (FAQs) about changes to the Children’s Online Privacy Protection Act (COPPA). Updates include share buttons, actual knowledge and information collected from child-redirected sites. If an app includes a share button that allows children to send or post information, “verifiable parental consent” is required; clarity on the actual knowledge standard is provided, and best practices are offered to third parties that discover personal information from a child-directed site has been collected. Recent COPPA revisions by the FTC went into effect on July 1. [Full Story ]

US – Calls on FTC to Curb Brick-and-Mortar Tracking

Sen. Charles Schumer (D-NY) has called on the FTC to institute rules to allow shoppers to opt out of smartphone tracking at brick-and-mortar retail stores. Schumer said that participating stores are “going to know a lot about you by following you around, even if you don’t purchase, even if you’re just browsing.” He also added that children can be tracked, and collected data may be stored indefinitely. [CBS New York]

US – Woman Awarded $1.44M; Company to Appeal

A Marion Superior Court jury has awarded a plaintiff “$1.44 million after finding Walgreens and a pharmacist violated her privacy when the pharmacist looked up and shared the woman’s prescription history.” The lawsuit alleged, “As a provider of pharmaceutical service, defendant Walgreens Co. owes a non-delegable duty to its customers to protect their privacy and confidentiality of its customers’ pharmaceutical information and prescription histories.” In a statement, Walgreens has said it will appeal, stating it is “a misapplication of the law to hold an employer liable for the actions of one employee who knowingly violates company policy.” [Indianapolis Star]

US – Utah Law Allowing Administrative Subpoenas Challenged

Legislators are joining privacy advocates in criticizing a Utah law, passed in 2009, that allows prosecutors to obtain Internet users’ information without a warrant. These so-called “administrative subpoenas” allow Investigators to order Internet companies to hand over a user’s name and address, Web session times and durations, local and long-distance phone records and banking information when relevant to cases. The law has been used roughly 1,200 times since its passing. Now, however, privacy advocates and legislators alike are questioning whether the law is in line with the constitution, though it hasn’t yet been challenged in court. Rep. Brian Greene (R – Pleasant Grove) told the Salt Lake Tribune in an e-mail interview that he would favor legislation to scale back the law. Another member of the Judiciary Interim Committee, which has held hearings on the law, Sen. Luz Robles (D-Salt Lake City), said protections should be added to the statute to ensure it’s being used out of necessity, not convenience. Full Story

US — North Carolina Delays Drones with Budget Law

Under North Carolina’s budget law, without the state chief information officer’s okay, no government entity may buy or operate a drone “or disclose personal information about any person acquired through the operation of an unmanned aircraft system” before July 2015. Rep. Jason Saine (R-Lincoln) says the delay is to allow for time to look into concerns about the possibility for police to obtain 24-hour public surveillance abilities. There are exceptions to the rule, and the department of transportation reportedly has plans to acquire a drone in conjunction with the launch of a drone research field. [The Miami Herald ]

US – New York Court Rules DMV-Data Brokers Not Liable for Subsequent Use

The New York Second Circuit ruled that while companies that sell DMV information cannot be held liable under the Driver’s Privacy Protection Act for a purchaser’s use of that information, it “held that companies must uphold a certain standard of care in evaluating statutory disclosure exceptions.” [Law360]

Workplace Privacy

US – Ohio Case Demonstrates Danger in BYOD Policies

JDSupra Law News analyzes the recent case in the Northern District of Ohio demonstrating the tension between employer control and employee privacy when it comes to bring your own device (BYOD) policies. In Lazette v. Kulmatycki, an employer read the personal e-mails of a former employee after she turned in her Blackberry device, thinking she’d deleted the account. The employer was found to be at fault, but prosecutors had to stretch a bit to convict him under existing laws. “At a macro level, this case should be a warning to employers to continue to be careful with personal information in a BYOD environment,” the report states. “The potential liability for employers could be significant.” [Source] See also: [Bra Sizes of Female Detroit Police Officers Emailed to Coworkers] and [NZ:  Sacked woman ordered to show her Facebook pages to prove she didn’t misuse sick leave] See also: [ON: Privacy watchdog’s advice sought for grant-rejection policy]

+++

 

16-31 July 2013

Biometrics

US – Advocates Support Banning Biometrics in Schools

As more schools explore and adopt security systems for identification purposes, such a move “recently caused a stir in Florida when Polk County Schools decided to incorporate biometric data systems.” The use of technology such as iris scans could soon be banned in the state’s schools, the report states, noting the school district launched a pilot program “allowing a security company to install iris scanners on school buses” without notifying parents in advance. The security company has said it deleted all information gathered, but concerns remain and the ACLU of Florida says a bill is in the works to ban such systems, the report states. [WFSU]

Consumer

US – Privacy Predicted to Be Next Competitive Differentiator

A Forrester survey that finds 62% of consumers say they would be “not at all likely” to do business again with a company known to have shared their PII with a data broker. Further, 37% report that they’ve abandoned a transaction online due to something they didn’t like in the terms of service, including the privacy policy. Finally, the study commissioned by analytics firm Neustar finds more than a quarter of respondents now using ad-blocking software. This leads Forrester to conclude that privacy is “the new green movement.”[GigaOm] See also: [New trends in data-driven remote healthcare in the U.S.]

WW – Consumers Changing Their Browsing Habits

New reports on the changing browsing habits of consumers in light of the recent NSA disclosures. Meanwhile, a new browser add-on has been introduced on Monday that aims to shield consumers from data mining by preventing users from disclosing contact information, CNET News reports . MaskMe, created by Abine, creates and manages “dummy” accounts for a user’s e-mail, phone number, credit card and website logins. According to the company, consumers tend to lose out in the “data-for-service exchange,” while companies win. Abine’s Sarah Downey said, “The real lesson is, ‘Stop: Don’t give out your personal information.’“ [The Associated Press]

US – Companies Shifting to Meet Consumer Expectations

Products are changing based on consumer expectations of privacy. Pinterest is now offering users a Do-Not-Track option. Google Now is a digital assistant capable of alerting users if a flight is delayed or a particular route is backed up with traffic, but Google reserves the service’s full functionality for those users who don’t mind their locations being tracked, the report states. And Facebook’s latest ad offerings target users based only on age and gender rather than more granular data. [Forbes]

E-Government

US – Ballot Initiative Could Establish “Very Different Set of Privacy Rules”

A former California state senator and a trial lawyer have filed a “potentially revolutionary draft ballot initiative” with the California Attorney General’s Office, writes DLA Piper’s Jim Halpert. The initiative would restrict business and government disclosures of a broad range of personally identifiable information, Halpert writes, which could only be disclosed in narrow circumstances. If voters approve the initiative, California’s constitution would be amended to include “a very broad opt-in privacy regime with narrow exceptions…bringing to California a very different set of privacy rules than apply anywhere in the United States.” It would result in major cost increases for both business and government operations, Halpert writes. [Technology’s Legal Edge]

E-Mail

US – Microsoft Denies Giving NSA Unfettered Access to eMail

Microsoft says it is within its First Amendment rights to disclose national security requests for user data. Microsoft also says that it does not provide the NSA with encryption keys to access email, despite reports that they were helping the intelligence agency bypass security measures to access web chats through Outlook and putting backdoor access in its products to aid federal investigations. [eWeek] [The Register] [ComputerWorld] [ZDNet]

Electronic Records

US – New “Hub” Database Raises Privacy Concerns

As part of the massive overhaul of America’s healthcare system, databases from seven U.S. agencies—from the Internal Revenue Service to the Peace Corps—will be tied together in one $267 million computer system called the Hub to determine which U.S. citizens can purchase medical coverage. The size and breadth of the system is raising red flags from some who are concerned about privacy and security risks, as the system will include data such as identity, citizenship, income and family size. One lawmaker queried, “It’s information on 300 million Americans, all compiled in one place—what could go wrong?” Others note, however, that the system can only access data on potential enrollees and there’s not a central storage center for the data. [Source]

Encryption

WW – Facebook Browsing Now “Secure” by Default

Earlier this week, Facebook made “secure” browsing a default setting. The option to use TLS (Transport Layer Security) encryption has been an available for two years. “Secure” browsing means that data sent to Facebook servers by users will be encrypted. Among the reasons it took this long for Facebook to make “secure” browsing the default setting is that the company had to wait for third-party applications to upgrade their platforms to avoid compatibility issues. [ComputerWorld]

EU Developments

EU – Hawkes Says Google, Facebook Safe from Audit

While Irish DPA Billy Hawkes announced last week he was beginning a formal audit of LinkedIn, the Office of the Data Protection Commissioner (ODPC) has said in e-mail correspondence with advocate group Europe-v-Facebook.org it will not be investigating Facebook and Google in relation to the NSA revelations. “We do not consider that there are grounds for an investigation under the Irish Data Protection Acts given that ‘Safe Harbor’ requirements have been met,” the ODPC wrote. However, that Safe Harbor agreement is now consistently under fire. Earlier this week, EU Justice Commissioner Reding said she would be reviewing the agreement, and now German privacy officials are calling on Chancellor Merkel to push for suspension of the Safe Harbor agreement. [The Independent]

EU – Commissioner Begins Inquiry Into LinkedIn

Irish Data Protection Commissioner Billy Hawkes has launched an audit of social networking firm LinkedIn, adding it could have ramifications worldwide. Hawkes has confirmed his team has begun the audit as part of a process that will look into all social media firms based in Ireland. LinkedIn suffered a data breach earlier this year. [The Independent]

EU – Safe Harbour Agreement “Under Review”, Says European Commission

Vice President of the European Commission Vivane Reding said the commission will present a “solid assessment” of the current Safe Harbor agreement between the EU and U.S. by the end of the year. The European Parliament has called on the commission to conduct such a review following revelations that Safe Harbor parties were involved in the U.S. National Security Agency’s surveillance program. Reding has said, “The Safe Harbor agreement may not be so safe after all.” [Out-Law.com]

EU – European Parliament Wants NSA Chief to Testify

The European Parliament is set to initiate an investigation into the NSA surveillance program disclosures and is amassing “an interesting list of witnesses” to testify about the issue, including U.S. National Security Agency Chief Gen. Keith Alexander, whistleblower Edward Snowden and The Guardian’s Glenn Greenwald. European Parliament plans to hold the series of hearings about the programs in September. A Deutsche Welle report asks if European Union interior ministers are partly responsible for collaborating with U.S. security agencies. European Home Affairs Commissioner Cecilia Malmström said that the EU is not solely responsible for data protection as security agency activities generally come under the jurisdiction of member states. [Slate]

EU – Germany Wants UN Privacy Charter

In response to the NSA disclosures, senior German government officials are lobbying for expansion of the 1966 UN human rights treaty to cover modern forms of communication such as e-mail and social networks. German foreign and justice ministers sent a letter—which was released more broadly on Wednesday—to their European Union counterparts last week: “We want to use the current debate to launch an initiative that would outline the inalienable privacy rights under current conditions.” The letter also suggests convening all 167 parties to the International Covenant on Civil and Political Rights. German data protection authorities have also called for suspension of a key data-sharing agreement between the EU and U.S. [The Associated Press]

Filtering

UK – Critics Say UK Prime Minister’s Web Filtering Plan is Misguided

UK Prime Minister David Cameron’s plan to make Internet service providers (ISPs) and search engines filter pornography is seen by some as misguided. Open Rights Group executive director Jim Killock notes that “banning search terms seems unlikely to combat the serious activity, which is independent of search engines.” And technology journalist Simon Bisson writes, “What the UK government should be concentrating on is an effort to break the financial ties that hold the darknets together. Finding who holds the purse strings is a complex task, but it’s a technique that has been proven to work time and time again. And perhaps it should also be noted that it’s an approach that’s well within the capabilities of the powerful surveillance tools that government security agencies have put in place … to combat terrorism.” [ZDNet] [BBC] [CNET] [ComputerWorld] [Draft of Cameron’s Speech]

Finance

US – 160 Million Credit Cards Stolen; Indictment Reveals Wall Street Exposure

Five people have been indicted in connection with a series of major cyberattacks that compromised more than 160 million credit card accounts over a seven-year period. A separate indictment of one of the men exposed a two-year-long penetration of computers at the NASDAQ and shined a light on the vulnerability of global financial systems. The five men named in the indictment were allegedly involved with breaches for which Albert Gonzalez is currently serving a 20-year prison sentence. Between 2005 and 2012, the group allegedly breached systems at Heartland Payment Systems, Hannaford Brothers, and Dexia Bank Belgium, and a number of other organizations. [NYTimes] [WIRED] [ComputerWorld] [KrebonSecurity] [BBC] [CNET] [Justice.gov]

US – Bank Glitch Exposes Data on 150,000 Customers

“In a case that could serve as a warning to other banks that contribute customer data to public storehouses,” Citigroup said it improperly protected consumer data—including Social Security numbers, birth dates and other sensitive information—when it shared nearly 150,000 records with the government’s legal document system, otherwise known as the Public Access to Court Electronic Records (PACER). The bank reached a settlement with a division of the Justice Department to redact the customer data at its own expense, notify those affected and offer one year of free credit monitoring. In a statement, the bank said, “The redaction issues primarily resulted from a limitation in the technology Citi had used to redact personally identifiable information in the filings.” [American Banker]

FOI

US – Hulu: “Anonymous” Data Not Covered By VPPA

In new court papers filed last week, Hulu argues that sharing “anonymous” data about its users’ viewing habits with third parties is not a violation of the Video Privacy Protection Act (VPPA). Filed with U.S. District Court Judge Laurel Beeler in San Fransisco, the company wrote, “Hulu cannot be liable for disclosing anonymous user ID to comScore or Nielsen or to any other service provider.” Hulu acknowledges it shares users’ viewing histories, but removes names and any other identifying information. Instead, it assigns each user with an anonymous user ID prior to transmitting the data. In the class-action lawsuit filed against the company, users allege that third parties with whom the data is shared can re-identify the information. Hulu said it stopped the practice allowing such re-identification two years ago. [MediaPost News]

Health / Medical

US – Woman Awarded $1.44M; Company to Appeal

A Marion Superior Court jury has awarded a plaintiff “$1.44 million after finding Walgreens and a pharmacist violated her privacy when the pharmacist looked up and shared the woman’s prescription history.” The lawsuit alleged, “As a provider of pharmaceutical service, defendant Walgreens Co. owes a non-delegable duty to its customers to protect their privacy and confidentiality of its customers’ pharmaceutical information and prescription histories.” In a statement, Walgreens has said it will appeal, stating it is “a misapplication of the law to hold an employer liable for the actions of one employee who knowingly violates company policy.” [Indianapolis Star]

US – VA Seeks Breach Lawsuit Dismissal

The VA has motioned to dismiss a lawsuit filed by patients affected by a breach earlier this year at William Jennings Bryan Dorn VA medical center. The VA filed the motion on grounds that plaintiffs have failed to prove the breached records were improperly disclosed. More than 7,400 patient records were on a laptop that was stolen last April. The government is now arguing that with lack of evidence that an unauthorized person viewed the records, the breach should not be considered improper disclosure under the Privacy Act, the report states. [HealthITSecurity]

WW – Google to Make $8.5 Million Donation in Settlement

Google will make an $8.5 million donation to nonprofit organizations in order to settle a class-action lawsuit alleging it leaked the names of search users. Google will also revise the “frequently asked questions” section of its privacy policy, the report states. Recipients of the settlement include the World Privacy Forum, Carnegie-Mellon, Harvard Law’s Berkman Center for Internet and Society and Stanford Law’s Center for Internet and Society. [MediaPost News]

Horror Stories

US – SEC, Retailer Announce Breaches

The Securities and Exchange Commission (SEC) has announced a data breach after a former SEC employee “inadvertently and unknowingly” downloaded the names, birthdates and Social Security numbers of employees on to a thumb drive and then transferred the data to another agency. The SEC did not learn of the incident until 10 months after it occurred. It is unclear how many employees were affected. Meanwhile, retailer Lakeland has warned customers of a potential data breach after two encrypted databases were accessed. [The Hill]

US – OHSU Reports 3,000 Records Breached

The Oregon Health & Science University has notified more than 3,000 patients their personal data was compromised after it was discovered the data was placed by resident physicians on two information-sharing services. Compromised data included patient names, medical record numbers, dates of service, diagnoses and providers’ names. The school said, “There is no evidence that the data were accessed or used by anyone who did not have a legitimate patient-care need to view the information.” [ModernHealthcare]

US – Details Emerge on Monroeville Breach

A situation involving the Office for Civil Rights (OCR) and the Monroeville, PA, 911 dispatch center in which the OCR told the center is had 30 days to conduct an investigation on protected health information that was exposed for a former police chief. Details obtained by the Pittsburgh Post-Gazette reveal that details on Monroeville 911 records were available to unauthorized individuals for an extended period of time, among other revelations. Meanwhile, a programming error has led to a data breach at Indiana Family and Social Services Administration. [Health IT Security]

US – Citibike Notifies 1,200 of Breach

NYC Bike Share, the company that designs and manages the Citibike sharing system, has notified nearly 1,200 customers that their credit card numbers, names and addresses were mistakenly posted on the back pages of its website for approximately 24 hours. The glitch reportedly occurred between April 15 and late May. One customer notified by the company said she was glad to have been notified directly, though she was surprised the incident happened. Some businesses just post cryptic messages on their websites, she said, adding, “I felt in a way they handled it more responsibly.” [New York Post]

US – Stanford Breached; Recognizing Bank Breaches

Stanford University has announced that its information technology infrastructure has been breached, “similar to incidents reported in recent months by a range of companies and large organizations in the United States,” according to a Stanford press release. Though the school does not yet “know the scope of the intrusion,” an investigation is underway. “We are not aware of any protected health information, personal financial information or Social Security numbers being compromised, and Stanford does not conduct classified research.” Meanwhile, Bank Systems & Technology writes, “we have found that many employees, even those who are technically savvy, do not recognize as reportable events the situations that commonly result in a data breach.” [Source]

US – Medicaid Patient Records Potentially Compromised Via E-mail

The Office of the Medicaid Inspector General (OMIG) has announced an internal employee in New York sent 17,743 Medicaid patient records to a personal e-mail account in October 2012. The employee did not have OMIG consent to send the e-mail and has been placed on administrative leave. The potentially compromised information may have included patients’ first and last names, dates of birth, Medicaid client information numbers and Social Security numbers, the report states. [Health IT Security]

US – 1.8m Affected by Ubuntu Breach, Apple Hacked

Ubuntu Forums has suffered a massive data breach, the company announced on its site. Every user’s local username, password and e-mail address were stolen from the company’s database. Approximately 1.82 million users are subscribed. Meanwhile, the University of Virginia has notified 18,700 students of a recent data breach after a third-party mailing vendor accidentally sent the students’ Social Security numbers in brochures mailed to home addresses, and Apple says its website for developers has been breached, but says customer information is encrypted and was not affected. [ZDNet]

Identity Issues

US – Deception Is at the Heart of PLSC-Winning Papers

At each year’s Privacy Law Scholars Conference, scholars workshop papers that bring together the academic privacy community with those working in industry, advocacy, law and government. The IAPP awards the two papers that receive the most votes from attendees with a cash prize and a speaking slot at the IAPP Privacy Academy, to be held this year in Seattle, Sept. 30 through Oct. 2. In an exclusive for The Privacy Advisor, IAPP interviews the winners and discusses their inspiration for the papers and the conclusions they’ve drawn about deceptive privacy practices and what the FTC might start doing about them. [Privacy Advisor]

Intellectual Property

US – State AGs Want Ability to Prosecute ISPs for Third-Party Content

“If you want to run a European Internet company dealing with user-generated content, be prepared to put your personal liberty at stake.” The analysis is based on recent cases involving ISP executives charged with various crimes due to the content their users posted. But Europe isn’t the only place such dangers lurk. At a meeting of the National Association of Attorneys’ General last week, it was revealed that some state AGs are drafting a letter to Congress that would exclude state criminal prosecutions from Section 230, a provision that says websites aren’t liable for user-generated content or other third-party content. Essentially, the change would allow state AGs to prosecute Internet companies, including their executives, for violating state law via publication of third-party content. [Forbes]

Internet / WWW

WW – The Good, the Bad and the Ugly of the Internet of Things

In anticipation of a roundtable discussion on the Internet of Things this November, the FTC has released submitted comments—coming from industry, privacy advocates, academics and regulators. This Privacy Perspectives post explores the potential benefits and drawbacks of this nascent phenomenon as well as the privacy discussions that need to be hashed out. Meanwhile, Kashmir Hill of Forbes writes about hacking into a smart home. [Source]

Law Enforcement

US – ACLU: Police Tracking Innocent People’s License Plate Data

An ACLU report reveals that police departments across the U.S. are using license-plate readers to capture and store information about individuals’ whereabouts—without their knowledge. The report found that data on even those who have not been accused of a crime is stored in the database. The ACLU says rules must be enacted to restrict how such technology is used and for how long such data is retained. Meanwhile, the Center for Investigative Reporting writes local officials are moving forward with a federally funded project that aims to combine data on surveillance cameras, gunshot detectors, license-plate readers, Twitter feeds and alarm notifications into a single tool for law enforcement. [The Hill]

US – Feds Arrest Five in Largest Hacking Scheme Ever Prosecuted

U.S. Attorney Paul Fishman announced today the indictment of four Russians and a Ukranian in what he is calling “the largest hacking and data breach scheme ever prosecuted in the United States.” From 2005 to 2012, Vladimir Drinkman, Aleksandr Kalinin, Roman Kotov, Mikhail Rytikov and Dmitriy Smilianets allegedly uploaded malware into the computer systems of large institutions like Dow Jones, NASDAQ, JetBlue and 7-Eleven, then used that access to download and sell as many as 160 million credit and debit card numbers, along with other PII. Stolen funds reached into the many hundreds of millions. [The Star Ledger]

Mobile

US – NTIA-Led Group Releases Code of Conduct

After a year of meetings and deliberations, the multi-stakeholder group organized by the National Telecommunications and Information Administration released yesterday statements showing general support for its Short Form Notice Code of Conduct, along with concrete examples of what the “nutrition label”-like short-form privacy notice might look like. These new notices won’t replace long-form privacy notices, but will serve as quick guides to which information is being collected by mobile apps and for what purpose. However, use of the short-form notices remains voluntary, and, noted Adweek, only two of the stakeholders committed concretely to use of the code of conduct. Other groups, such as the ACLU and EFF, voted to support the short form notices, but without committing to a full endorsement. And another 17 groups voted for more consideration. “It is not a consensus and not done,” said Stu Ingis, of the Direct Marketing Association. [WashingtonPost]

US – DAA, NAI Each Release Mobile Privacy Rules

The Digital Advertising Alliance (DAA) has unveiled its long-anticipated mobile privacy code. The rules state that ad networks and other related third parties should provide notification for online behavioral advertising—also known as cross-app advertising—with a provided opt-out. Additionally, ad networks and app developers must obtain opt-in consent from users for geolocation and address-book data collection. The grace period for implementation is expected to be nine to 12 months, potentially longer. The DAA is also working on an AdChoices opt-out icon for mobile apps. DAA counsel Stu Ingis said, “We envision that there will be an app that has the AdChoices icon in it, that consumers can download…Through the app, consumers can exercise choice with respect to all of the third parties.” DAA member the Network Advertising Initiative has released their final version of mobile privacy rules as well. [MediaPost News]

US – Study Says Short-Form Notice Can Be Ambiguous

A new study conducted by Carnegie Mellon University (CMU) reveals that the U.S. Commerce Department short-form notice proposal, as it currently defines data collection notice categories, has the potential to confuse consumers. The proposal calls for app developers to describe data types that will be collected—such as “biometrics”—and what types of third parties receive collected data—such as “ad networks.” The study surveyed 800 consumers and four experts about which terms they would use to categorize collection practices. Lorrie Cranor, a CMU computer scientist who oversaw the study, said the terms are “not well-defined, even the experts weren’t sure how to apply them,” and added, “When you have a bunch of lawyers and policy people coming up with the consumer tools, they’re not going to come up with something that is necessarily usable.” [Online Media Daily]

US – Study: Mobile Health Apps Carry Privacy Risk

According to a new study released yesterday by Privacy Rights Clearinghouse, many mobile health apps carry privacy and security risks. The report surveyed 43 free and paid apps—including the top 20 paid apps in health and fitness categories—and found several did not have privacy policies, transmit data without encryption and send user data to third parties such as ad networks and analytics companies. Privacy Rights Clearinghouse Founder Beth Givens said, “Data security and privacy—from a technical standpoint—is abysmal.” [GigaOm]

WW – Next Gen Video Game Consoles Raise Privacy Concerns

There are growing concerns about the privacy and data collection capabilities of the next generation of video game consoles. With more integration planned between consoles and social networking sites and video chat platforms, including Skype, “consoles are becoming as connected as the other devices we use every day,” the report states. The new systems will also feature motion- and voice-controlled technology used for recognizing users. Electronic Frontier Foundation Senior Staff Technologist Seth Schoen said, “Video game consoles pose problems akin to those of mobile phones because users often have very little visibility into what devices are doing and very little control over the software running on the devices.” [NBC News]

Online Privacy

WW – Mozilla Unveils Personalization Project, Catches Flak

Mozilla announced on its Labs blog it has begun testing a new personalized browsing experience with Firefox, whereby users choose with which Web sites to share which PII in exchange for personalized content. Elsewhere, the company explained how this fits with its philosophy of “Personalization with Respect.” However, while TechCrunch noted this is still just in the testing stages, AdWeek called the announcement “ironic” in light of the company’s Do Not Track stance, and lined up advertising representatives to say worse: “So the takeaway is that it’s OK for Mozilla to track, but not third parties?” asked Alan Chapell of Chapell & Associates, co-chair of the Mobile Marketing Association’s privacy committee. [Source]

US – Twitter Transparency Report Shows Growing Government Demand for Data

Twitter says the U.S. government continues to make the most requests for data on subscribers. In the first six months of the year, federal authorities made 902 requests for user information. In the same period last year, it requested information on 815 subscribers, the company’s transparency report indicates. Additionally, the U.S. government’s requests comprised 78% of all requests for user data. In its latest blog post, Twitter said it has “joined forces with industry peers and civil liberty groups to insist that the U.S. government allow for increased transparency into these secret orders.” [Washington Post]

US – Just How Creepy Is Predictive Search?

The New York Times reports on the new trend of apps utilizing predictive search to alert users to information they didn’t know they needed. From Google Now to Evernote to MindMeld, these apps scan users’ e-mail, calendar, notes and other items in the cloud or on a device to predict which information will be useful in the near future. A user might receive an alert that traffic is bad between midtown and the suburbs because the app knows that’s where the 10 a.m. meeting is. However, some observers are calling the services invasive and creepy, while others point to issues around context. “What works for a group of 30-something engineers in Silicon Valley may not be representative of the way that 60-year-old executives in New York tend to use their phones,” says UPENN Wharton School Prof. Andrea M. Matwyshyn. [New York Times]

US – Pinterest to Honor DNT Settings

Pinterest has added new site-personalization features for users drawn from their web-browsing activities but has also provided users with an opt-out choice. The company also announced it will support and honor users’ who select Do-Not-Track settings. “We’re excited to give everyone a more personalized experience,” Pinterest wrote in a blog post on Friday, “but we also understand if you’re not interested! We support Do Not Track, and you can change your account settings anytime.” The Electronic Frontier Foundation (EFF) supported the moves, which are similar to that of Twitter. “Hopefully, the decisions of Twitter and Pinterest are the vanguard of a new industry standard around respecting Do Not Track and soon this will be the default of all major websites,” the EFF wrote. [GigaOm]

WW – Terms and Conditions Documentary Examines Internet Privacy Issues

Terms and Conditions is a recently released documentary that examines the evolution of Internet privacy policies over the last 15 years. A dozen Internet privacy bills were introduced prior to September 11, 2001, but all were abandoned in the wake of the attacks. Instead, the PATRIOT Act was put in place, which led to the NSA’s wide-reaching data gathering practices. Assurances of anonymity have disappeared. The film compares Google’s privacy policy from December 2000 with that from December 2001. In short, the earlier policy clearly states that users’ identities are not traceable through cookies, but the one from a year later indicates that cookies might be able to be used to identify a particular user. That later policy says, in part, “Google will not disclose its cookies to third parties except as required by a valid legal process such as a search warrant, subpoena, statute or court order.” The film also addresses Facebook’s data retention practice. When users delete or remove content from their profiles, it merely gets flagged as deleted, but it still remains in the Facebook data banks and is accessible to Facebook or government agencies. [ArsTechnica]

US – W3C to Miss July Deadline for DNT

The World Wide Web Consortium (W3C) will not meet its “last call” deadline for putting out a Do-Not-Track proposal for public comment. W3C Co-Chair Peter Swire, CIPP/US, said, “There is not a way to get to last call by the end of July,” adding, “Next Wednesday, we will have a discussion about where we are and next steps.” According to the report, the group still has the opportunity to work on the proposals, but “the talks have turned so acrimonious that it seems unlikely the group will ever agree” on a Do-Not-Track standard for headers sent to browsers. [MediaPost News]

Other Jurisdictions

US – States Reviewing Policies Due to Anonymity Concerns

Some U.S. state are reviewing their policies on the collection and sale of health information based on concerns around patient anonymity in publicly available databases of hospital records. Washington, for example, has suspended distribution of such information and requires buyers to sign a confidentiality agreement, after it was revealed some patients of hospitals in the state could be identified by name and their conditions exposed. Tennessee, Nevada and Arizona have begun privacy audits, and California, Illinois, New Jersey, Massachusetts, Connecticut, Nebraska and Alaska already have reviews under way. While health care providers are forbidden from releasing patient information under HIPAA, states are exempt from the law. [Bloomberg]

AU – Australian Government Considers Joining Merkel’s Agreement

The Australian government is considering participating in a global data protection agreement put forward by German Chancellor Angela Merkel following revelations of the U.S. National Security Agency’s (NSA) PRISM surveillance program. Meanwhile, Australian Federal Police Commissioner Tony Negus says there is no link between the NSA revelations and Australia’s push for a mandatory data retention regime. In an opinion piece for CNN, Sen. Al Franken (D-MN) writes he’s working on legislation that would require the U.S. government to report annually how it uses surveillance programs, including how citizens’ data is being collected and who sees it. And in another op-ed, former head of the U.S. Justice Department’s Office of Legal Counsel writes that NSA data collection shouldn’t be constrained. [ZDNet]

JP – Railway Company Apologies for Selling PII

Japan’s national railway system has apologized for sharing its passengers’ travel habits and other personal information with a pre-paid fare card system without user consent. East Japan Railway admitted to selling the data to Suica—one of the pre-paid card businesses. The data included card holders’ ID numbers, ages, genders and where and when passengers got on and off the train. A transportation ministry official, however, said they will not investigate the issue for privacy violations because the railway company “told us that it wasn’t personal information, as it didn’t include names and addresses of users.” The Ministry of Internal Affairs and Communications is looking into the issue and has set up a team to research the matter, the report states. [The Wall Street Journal]

Privacy (US)

US – Industry Groups Push for Federal Breach Notification Law

At a House hearing, industry groups called on Congress to move toward a federal data breach notification law. According to some witnesses, the current patchwork of state notification laws are burdensome for business. Though the hearing was mostly informative, according to the report, House Energy and Commerce Subcommittee Chairman Lee Terry (R-NE) expressed interest in pursuing legislation. Rep. Henry Waxman (D-CA) warned that federal legislation should not undercut state standards that already “have strong breach notification laws.” The Senate last month introduced federal legislation. [The Hill]

US – Legislator Calls on FTC to Curb Brick-and-Mortar Tracking

Sen. Charles Schumer (D-NY) has called on the Federal Trade Commission to institute rules to allow shoppers to opt out of smartphone tracking at brick-and-mortar retail stores. Schumer said that participating stores are “going to know a lot about you by following you around, even if you don’t purchase, even if you’re just browsing.” He also added that children can be tracked, and collected data may be stored indefinitely. [CBS New York]

US – Court Dismisses Class-Action Claim Against Gaming Site

The U.S. District Court for the Central District of California has dismissed a majority of the claims brought against Blizzard Entertainment, Inc., after a 2012 data breach. Hackers had gained access to customers’ accounts, including e-mail addresses and cryptographically scrambled versions of Battle.net passwords. Among other allegations, the plaintiffs claimed the company failed to notify users of the breach in a timely manner. The court said the plaintiffs “failed to allege adequate harm.” Meanwhile, a Colorado clinic reports it has fired an employee in its billing department who improperly e-mailed some patients’ protected information to her own personal account. [Mondaq]

US – Digital Advertiser Settles Privacy Violation

Digital marketing company PulsePoint has agreed to settle charges by the acting New Jersey attorney general and the New Jersey Division of Consumer Affairs that it bypassed consumers’ privacy settings in Safari browsers. The company allegedly used cookies to bypass settings that are designed to block targeted ads. Acting New Jersey Attorney General John J. Hoffman said, “This settlement puts online advertisers on notice that they must respect consumers’ privacy settings, or end up paying far more in penalties than any violations would generate in ad revenue.” Another provision of the settlement requires PulsePoint to post its data collection practices on its website. A company spokeswoman said PulsePoint took “user privacy very seriously” and that the cookies in question had been “primarily limited to technical purposes such as fraud detection” and not for targeted ads. [The New York Times]

US – Reddit Joins Lobbying Group

Link-sharing and discussion website Reddit has announced that it has joined the Internet Association, a Washington lobbying group. The association was founded last year and lobbies on topics including surveillance laws, privacy, regulation and cybersecurity. “In spite of reddit being an incredibly effective way to lower workplace productivity, we’ve also seen how online communities can have a transformative economic impact,” said Reddit’s general manager. The Internet Association recently wrote to the U.S. Executive branch and congressional leaders calling for greater transparency on national security-related requests for user data from Internet service providers. [The Hill]

US – The Privacy (and Security) Pro in the White House

Much has been made of Nicole Wong’s appointment to work on privacy matters in the White House under U.S. CTO Todd Park, but there’s another privacy pro in the White House who actually has “privacy” in his title: Ari Schwartz, Director for Cybersecurity Privacy, Civil Liberties and Policy, National Security Staff, who started in the job this past month. The Privacy Advisor gets the first interview with him about his new position. Meanwhile, Politico talks about growing pains for the PCLOB, with which Schwartz will be working closely. [Privacy Advisor]

Security

US – Obama Seeks Industry Incentives, Including Limited Liability

A “preliminary” presentation has been set forth by the Department of Homeland Security that looks into offering incentives to industries that adopt voluntary cybersecurity standards. Potential incentives include tax breaks, cyberinsurance “perks” and protection against legal liability. A White House representative noted the presentation is a “snapshot in time” and it only “reflects some preliminary analysis.” Cybersecurity legislation failed to pass Congress last year so the Obama administration’s cybersecurity executive order relies on industry cooperation. The DHS and National Institute for Standards and Technology are working with business to create a framework. Meanwhile, cybersecurity experts weigh in on the recent announcement that DHS Secretary Janet Napolitano will retire. [POLITICO]

UK – Intelligence Agencies Support Security Assessment for Large Companies

UK intelligence outfits GCHQ and MI5 are supporting an effort from the Department of Business, Skills, and Innovation, that asks the UK’s largest listed companies to take part in a Cyber Governance Health Check. The process involves having the companies’ chairpeople and audit committee heads complete web governance questionnaires. The companies’ audit committees will have the opportunity to discuss security issues discovered, and participating organizations will be able to view anonymized information about other participating organizations. [ZDNet] [v3.co.uk] [Telegraph] [ComputerWorldUK]

US – Cybersecurity Bill Draft Is Circulating

There is no shortage of guidance for privacy and security professionals charged with designing and implementing a secure information infrastructure; existing regulations, ISO standards 27001 and 27002 as well as industry-wide practices are just the most prominent sources. But if congressional leaders get their wish, there will soon be yet another source of guidance: the Cybersecurity Framework from the National Institute of Standards and Technology. [Source]

WW – Cyber Insurance Policies on the Rise

Cyber insurance has become increasingly popular among businesses. That’s because of high-profile data breaches at companies including Citigroup and Sony and at governments around the world, the report states. “We’ve reached a threshold where people are now coming to us instead of us going to them,” said one industry executive, adding that his company, Aon Corp., has sold more cyber insurance policies within the last year and a half than in the five years prior. [Live Insurance News]

US – USDA Mobile Device Security Program Not Living Up to Expectations

Officials at the US Department of Agriculture (USDA) say that a mobile device security system it solicited in November 2012 is not functioning as specified in the contract. The solicitation from November 2012 specified “a fully functional 30 day pilot with vendor support … ready to support a minimum of 3,000 mobile devices.” The project is roughly a year behind schedule and parts of the project are incompatible with USDA’s network security infrastructure. The vendors hired for the USDA project are the same as those with which the Pentagon’s Defense Information Systems Agency (DISA) recently signed a three-year, US $16 million contract to provide security for 300,000 mobile devices. Neither DISA nor the Department of Agriculture required verification that the software being purchased is compatible with their existing software – resulting in extreme delays and significant additional costs at Agriculture and probably at DoD as well. [NextGov]

WW – Most Mobile Companies Have Fixed SIM Card Flaw

Nearly all mobile companies have patched a serious flaw that affected more than 500 million phones; the fixes were delivered within 10 days of notification. Karsten Nohl said that his team had found a way to remotely access and control mobile devices’ SIM cards. In some cases, the SIM cards could also be cloned. Attackers could exploit the flaw to eavesdrop on communications, pilfer information from accounts, and commit identity fraud. The attack allowed hackers to obtain SIM cards’ digital keys. The attack involves sending a text message to the SIM card that in certain cases, results in the card returning data that can be decrypted to reveal the key. [NBC News] [The Guardian]

WW – Researchers Hack Into Car Computer

Two security experts have demonstrated how they can hack into an automobile’s computer network to control essential functions, including shutting off the brakes. Charlie Miller, a security engineer at Twitter, and Chris Valasek, an intelligence security director at IOActive, have received a grant from the Pentagon to discover security vulnerabilities in automobiles. “When you lose faith that a car will do what you tell it to do,” Miller said, “it really changes your whole view of how the thing works.” Miller and Valasek plan to share their finding at next month’s Defcon hacker meeting in Las Vegas. A representative from Toyota said the real concern isn’t physically hacking into a car, as the duo have done, but wirelessly hacking into a car. “We believe our systems are robust and secure,” the representative said. [Forbes]

UK – Judge Bans Publication of Paper on Car Security System Hacking

A UK high court judge has ruled that a trio of computer scientists may not publish a paper describing how a weakness in a cryptographic algorithm used to identify automobiles’ ignition keys. The injunction was sought by Volkswagen, which also owns Porsche, Audi, Bentley, and Lamborghini. The Megamos Crypto system, which is discussed in the paper, is used by a number of the luxury car brands. Volkswagen asked that the researchers publish a redacted version of the paper because they maintain the information could be used to steal cars. The researchers say that the information is available online. They also notified the manufacturer of the vulnerable chip nine months ago to give the company time to address the security issues before they planned to present the paper. [ArsTechnica] [BBC] [The Register] [v3.co.uk]

WW – Governments Ban Lenovo PCs from Accessing Classified Networks

A recent report from Australia’s Financial Review revealed that for the past seven years, the governments of the US, the UK, Australia, New Zealand, and Canada have banned the use of Lenovo PCs to access classified networks. Together, these countries make up the “five eyes” electronic eavesdropping alliance. The ban was prompted by concerns that the Chinese government may have installed backdoors to allow monitoring. Lenovo acquired IBM’s PC division in 2005. When the US State Department purchased 16,000 Lenovo PCs in 2006, legislators’ security concerns resulted in the machines being relegated to use only on unclassified networks. [InformationWeek] [The Register] [qz.com]

WW – Questionable Apps in Google Play Store

Symantec says that over the last seven months, it has detected more than 1,200 suspicious or questionable apps in the Google Play store for Android. Most are removed from the store shortly after their appearance, but some remain available for several days. The objective of apps can be difficult to discern, especially when they employ several layers to obfuscate their intent. [InformationWeek] [ComputerWorld]

WW – Apple and Samsung Smartphone Antitheft Technologies to be Tested

The “Secure Our Smartphone” initiative asks phone makers to implement technology that will help reduce smartphone theft. This week, state and federal prosecutors in California plan to bring in experts who will try to defeat security measures on smartphones provided by Apple and Samsung. Apple’s iPhone 5 will have the “Activation Lock” feature enabled, and Samsung’s Galaxy S4 will come with the LoJack for Android feature. Federal prosecutors are still hopeful that the companies will eventually manufacture smartphones with kill switches. [CNET] [ComputerWorld]

WW – Cybersecurity Moved From 12th to 3rd Place on Lloyd’s Risk Index List

Lloyd’s Risk Index 2013 places cybersecurity near the top of the list of risk factors faced by businesses. Risk of cyber incidents was ranked twelfth in the 2011 Index and has moved, in three years, to third, following only high taxation and loss of customers. Cyber issues top the list of political, crime, and security risks. This may be attributable to increased politically and ideologically motivated attacks and the increased cost associated with attacks. The report questions whether organizations “are spending money on the right things” to effectively address cybersecurity, and posits that spending money on security measures and making sure that security recommendations are implemented might be a better investment than purchasing insurance policies that cover cyberattacks. An April 2013 report from the Insurance Information Institute suggests that about two-thirds of cyber incidents are due to issues within organizations’ control. [Lloyds Risk Index] [Lloyds Press Release] [Lloyds Report]

Surveillance

US – Senators Seek Changes to FISC, Section 215

Sen. Richard Durbin (D-IL) said changes to foreign intelligence surveillance court proceedings are needed and proposed adopting “a real court proceeding” to approve wiretapping requests, The Wall Street Journal reports. “Let’s have an advocate for someone standing up for civil liberties to speak up about the privacy of Americans when they make each of these decisions,” Durbin said, along with proposing the release of redacted FISA court transcripts. In a special to The Washington Post, Sens. Mark Udall (D-CO) and Ron Wyden (D-OR) urge the White House to “end the bulk collection of Americans’ phone records and instead obtain information directly from phone companies, using regular court orders based on individual suspicion.” The prevailing sentiment, The New York Times reports, is that momentum is building in Congress to alter NSA surveillance.

US – NSA Amendment Voted Down In House

In a close vote, the U.S. House of Representatives defeated an amendment that would have prevented the National Security Agency from collecting large volumes of phone records. The 205-217 vote followed “impassioned debate over citizens’ right to privacy and the steps government must take to protect national security.” Rep. Jerrold Nadler (D-NY) said of Section 215, the provision under which the NSA collects phone metadata, “It’s going to end—now or later…The only question is when and on what terms.” Rep. Mike Rogers (R-MI) said he would draft legislation in the coming months to add more privacy protections to government surveillance programs. In an op-ed for The Times, David Brin writes of increased surveillance: “You can either fight this new era, or embrace it.” [The New York Times]

US – US House Defeats Measure to Rein In NSA Data Collection

By a narrow margin, the US House of Representatives voted down an amendment to the DoD Appropriations Act of 2014 that would have restricted the NSA’s authority for bulk collection of phone record metadata. Under the defeated amendment, the NSA would still have had the authority to collect phone records of suspects related to anti-terrorism investigations. The White House opposed the amendment, saying “this blunt approach is not the product of an informed, open, or deliberative process.” [WIRED] [ArsTechnica] [ZDNet] [ComputerWorld] [The Atlantic]

CA – Ontario Commissioner Discusses Dangers of Metadata

The Ontario Information and Privacy Commissioner Ann Cavoukian discusses the term “metadata,” frequently used since revelations of the U.S. National Security Agency’s surveillance program. While government officials defend the use of metadata, claiming it isn’t privacy invasive because it doesn’t access telecommunications content, Cavoukian says this is “fanciful thinking–perpetuating a myth that is highly misleading. The truth is that collecting metadata can actually be more revealing than accessing the content of our communications.” Cavoukian has also published a white paper on the topic.[Toronto Star]

US – Court Renews NSA’s Authority to Gather Phone Metadata

The US Foreign Intelligence Surveillance Court has renewed its order granting the National Security Agency (NSA) authority to collect metadata from telecommunications companies. The decision to renew the program was made “in light of the significant and continuing public interest in the telephony metadata collection program.” The order does not allow access to content of phone calls or the identity of subscribers. [ComputerWorld] [ZDNet] [Ars Technica]

US – US Justice Dept. Says NSA Snooping Does Not Violate Constitutional Rights

The US government has responded to a series of lawsuits challenging the NSA’s authority to snoop on phone records, saying that the intelligence agency’s activity cannot be challenged in court. The Obama administration maintains that the actions do not violate citizens’ constitutional rights and are conducted in the “public interest.” [WIRED] [US DOJ Filing]

US – NSA Adopts Procedures to Protect Data on its Networks

New rules adopted by the National Security Agency (NSA) aim to protect the top-secret data stored on its networks. A “two-man rule” requires that two systems administrators to work together when accessing systems containing highly classified data. The system is based on a similar procedure used in the handling of nuclear weapons. The NSA also plans to implement strong encryption for its most sensitive data. [NY Times]

NZ – Bill Would Expand NZ Intelligence Agency’s Domestic Surveillance

New Zealand’s parliament is poised to pass legislation that gives the Government’s Communications Security Bureau (GCSB) broader surveillance powers, including the authority to wiretap New Zealand citizens’ communications. GCSB’s domestic surveillance activity gained attention last year after it tapped communications of Megaupload founder Kim Dotcom, an action found to be illegal because Dotcom was a resident of the country. Public opposition to the bill is growing. [The Register] [stuff.co.nz] [NZHerald]

Telecom / TV

US – NJ Supreme Court: Get a Warrant for Cellphone Info

The New Jersey Supreme Court ruled that law enforcement must acquire a warrant prior to obtaining tracking information from a suspect’s cellphone. The ruling “puts the state at the forefront of efforts to define the boundaries around a law enforcement practice” that has divided courts around the country, and the issue will likely end up before the U.S. Supreme Court. Meanwhile, a House appropriations panel has unanimously adopted an amendment that would require law enforcement to get a warrant before accessing e-mail and other online messages. The amendment was added to the Fiscal Year 2014 Financial Services and General Government Appropriations bill and the privacy requirement covers the Internal Revenue Service, the Securities and Exchange Commission and other regulatory agencies. [The New York Times] [Text of decision]

US – Appeals Court Says No Warrant Required for Accessing Location Data

The US Fifth Circuit Court of Appeals in New Orleans, Louisiana, has ruled that law enforcement agents do not require warrants to track suspects’ locations through cell phone records. The ruling overturns an order from a federal judge in Texas. The new ruling indicates that cell phone records are the property of the carrier and are therefore not subject to reasonable expectation of privacy under the Fourth Amendment. Instead, the information is considered a business record. A court order is still required to search the records, but the requirements for obtaining a court order are less stringent than those for obtaining a search warrant. The Louisiana court cited the Stored Communications Act in support of its ruling. [CNET] [ComputerWorld] [ArsTechnica] [The Atlantic] [Text of Decision]

US – Fifth Circuit Decision “Doomed” at SCOTUS Level

Mark Joseph Stern contends that this week’s Fifth Circuit Court of Appeals decision that authorities do not need warrants to extract historical location data from cell phones “is doomed at the Supreme Court” level. “The Fifth Circuit’s cellphone ruling is almost certain to be reversed in the near future, barring a dramatic change of heart from one of the Supreme Court’s privacy lovers,” he writes. Meanwhile, TIME takes a look at five recent privacy cases in a report examining how the Supreme Court defines the right to privacy. [Slate] See also: [WSJ: Judges Ask Supreme Court to Take On Cell-Phone Searches]

US – Razor-Thin House Vote Prompts Privacy Action

A “razor-thin defeat” of a congressional measure to curb domestic surveillance and the subsequent reaction from lawmakers and privacy advocates. One former NSA analyst-turned-whistleblower said, “It doesn’t mean the end of it. It’s the beginning.” Sen Patrick Leahy (D-VT) announced the Senate Judiciary Committee will hold a hearing next week entitled, “Strengthening Privacy Rights and National Security: Oversight of FISA Surveillance Programs.” Rep. Adam Schiff (D-CA) is crafting legislation to create a special privacy advocate to appear in front of the FISA court as an “adversary.” The New York Times delves into the FISA court judges and the role played by Chief Justice John Roberts in choosing them. [The Guardian]

US – PCLOB To Meet With Private Sector

The Privacy and Civil Liberties Oversight Board (PCLOB) is slated to meet with Internet and telecommunications companies to determine what data and access to company servers they’ve provided to the U.S. government, Bloomberg reports. The move comes after the PCLOB held a hearing last week with privacy experts and former government officials. “It’s valuable to hear company perspectives on how the programs operate,” said PCLOB Chairman David Medine. “We want to hear both sides of it. We want to hear the government side, but we also want to hear the private-sector side.” Also, the PCLOB is getting reinforcements: Sharon Bradford Franklin is leaving The Constitution Project to join the board as executive director, The Hill reports. Meanwhile, a coalition of Internet companies and civil liberties groups are calling on the Obama administration and Congress to expand the disclosure of U.S. government surveillance programs. [Source]

US Government Programs

US – Senate Strongly Presses NSA; Bills Introduced; Classified Docs Released

A recent Senate Judiciary Committee hearing saw senators from both sides of the aisle press representatives from the National Security Agency (NSA), Office of the Director of National Intelligence (ODNI), Federal Bureau of Investigation and Justice Department over surveillance programs, particularly the provision allowing for the dragnet collection of Americans’ phone metadata. Committee Chairman Patrick Leahy (D-VT), on several occasions, expressed deep concern about the amount of Americans’ data being collected under Section 215. A number of senators said they were introducing legislation to narrow the scope of the collection of phone metadata. Obama administration representatives said they were willing to “reevaluate” the program. [Privacy Advisor]

US – Senators Aim to Change NSA’s Data Collection Practices

Undeterred by a recent House vote that failed to restrict NSA’s data gathering practices, a number of US senators say they plan to introduce legislation that will focus on the NSA’s phone data collection practices. The legislators say they want to make the NSA’s activity more transparent. Senator Al Franken (D-Minnesota) plans to introduce a bill that will require the NSA and other intelligence agencies to disclose the number of people whose information they have collected, and allow companies to disclose the numbers of surveillance requests made by government agencies. Senator Richard Blumenthal (D-Connecticut) will seek changes at the Foreign Intelligence Surveillance Court, adding the presence of public advocate lawyers. Senator Dianne Feinstein (D-California) wants the length of time that the data are held reduced from five years to two or three years. [ComputerWorld] [Ars Technica]

US – Documents Show Lawmakers Knew of NSA Data Gathering

Documents released by US intelligence officials earlier this week show that legislators were aware of the NSA’s wide-reaching data collection practices, but were prohibited from discussing the issue. The intent of releasing the information is to “allay concerns that the Obama administration was overstepping its legal authority.” [WIRED]

US – NSA Chief Defends Data Gathering Programs, Asks Disagreers to Help

In his keynote address at the Black Hat security conference in Las Vegas, NSA chief General Keith Alexander defended the agency’s data collection and surveillance practices. Alexander maintained that there have been “zero abuses of NSA PRISM,” and that the data gathering is an essential part of fighting terrorism. He said that the data collection programs have been mischaracterized, and that the allegations that they are “collecting everything [are] not true.” Alexander noted that queries of the collected phone call metadata are restricted. Alexander also told audience members, “If you disagree with what we’re doing, you should help us [make it better].” [WIRED] [ArsTechnica] [CNN] [SC Magazine] [NextGov] [CNN] The General’s entire keynote, defending NSA’s practices, is available on YouTube at the official BlackHat channel ]

US Legislation

US – Sen. Leahy Introduces FISA Privacy Act

Senate Judiciary Chairman Patrick Leahy (D-VT) has introduced legislation to reform America’s surveillance powers. The FISA Accountability and Privacy Protection Act of 2013 —which is cosponsored by nine additional senators—would narrow the scope of Section 215; allow for judicial review of “gag orders” provisions; move up the FISA Amendments Act sunset clause by two years; require the inspector general of the intelligence community to conduct a comprehensive review of the current law and its impact on citizens’ privacy, and mandate the release of an unclassified report for the public on the impact of the surveillance programs on individual privacy, the report states. The Senate Judiciary will host a hearing on privacy and the NSA disclosures on Wednesday. [Slate]

US – Hearing on Breach Notification

The House Energy and Commerce Subcommittee on Commerce, Manufacturing, and Trade held a hearing that saw industry groups pushing for a federal data breach notification law. Bloomberg reports that the push aims to create one streamlined process to preempt the differing requirements in 46 states and the District of Columbia. Corporate Counsel reports this is the fourth time in eight years the house has considered such a law. “The subcommittee called six witnesses representing technological and telecommunications trade groups, privacy software companies, and academia,” all of whom advocated for a federal standard, but differed on how it should read.

US – Hulu Argues No VPPA Violation

The online streaming company Hulu is facing a potential class-action lawsuit for violating the Video Privacy Protection Act (VPPA) for disclosing its customers viewing habits. While the company admits to sharing the information, it argues in court papers that because the data is associated with an ID number and not personal information there is no violation. “The consumers alleged in their lawsuit that third parties could figure out people’s identities from their User IDs, given that Hulu included the User ID in the Web page addresses of users’ profile pages.” Hulu claims in the court papers to have stopped this practice two years ago. [MediaPost]

US – Judge Orders Google to Reveal Blogger

A Manhattan judge says there is compelling enough evidence to unveil the identity of an anonymous blogger who has created blogs titled frederickschulmancrookedattorney.com and stopfrederickschulman.blogspot.com. “The web blogs…are causing actual, pecuniary injury to Mr. Schulman’s reputation as a zealous advocate for consumers against debt collection companies,” states Schulman’s court petition. Google questioned the necessity of revealing the bloggers identity, but the judge has ordered them to do so, though Schulman has yet to even file a defamation suit. The blogger has an opportunity to challenge the discovery, according to the report. Unless that happens, Google has two weeks to comply. [Wall Street Journal]

US – Congressmen Introduce Bill to Curb ID Theft of Deceased

Reps. Sam Johnson (R-TX) and Xavier Becerra (D-CA) have introduced HR 2720 to address the privacy of recently deceased individuals. “The bill would mandate that, starting January 2014, only death information older than three years would be made publicly available through the (Social Security Administration’s Death Master File), which will prevent criminals from filing fraudulent tax returns before the legitimate family files its return,” states the press release.

US – Bill To Spur EHR integration Between DoD and VA

Sen. Bill Nelson (D-FL) introduced The Servicemembers’ Electronic Health Record Act of 2013 (S. 1296), to set a one-year timeline for the integration of electronic health records between the Department of Defense and the Department of Veterans’ Affairs, among other things. The bill would amend the Wounded Warrior’s Act and requires the agencies to create standard forms and methods for data sharing, including giving consideration to storing data in the cloud. According to the report, a similar bill has been proposed in the Senate (H 2590), which has 44 co-sponsors and has been referred to the House Armed Services and Veteran’s Affairs Committees. [FierceEMR]

US – Judge Allows Orgs to Seek Dismissal of Wyndham Lawsuit

In a closely watched case, a federal judge in New Jersey will allow the U.S. Chamber of Commerce and other organizations to seek dismissal of a lawsuit filed by the Federal Trade Commission (FTC) against Wyndham Worldwide Corp. TechFreedom’s Berin Szoka said, “The FTC has this broad authority to make what is known as common law for information security not unlike the common law where courts make a decision and others can study and understand that law.” As a consequence, companies do not have much by way of guidance from the FTC for what constitutes deceptive and unfair practices. University of California Berkeley Prof. Chris Hoofnagle said the dismissal is a “Hail Mary effort to stop the FTC from enforcing its unfairness power.” [ComputerWorld]

US – Lawmakers Preparing Legislation in the Wake of NSA Surveillance

In light of NSA surveillance programs that have recently garnered the world’s attention, Sen. Al Franken (D-MN) is drafting legislation that he writes “will require the federal government to annually report how it uses key authorities under the Patriot Act and the Foreign Intelligence Surveillance Act, including the authorities underlying the phone metadata and the PRISM electronic surveillance programs that recently came to light.” Rep. Mike Rogers (R-MI), chairman of the House Intelligence Committee, said on Wednesday that he would draft legislation in the coming months to add more privacy protections to government surveillance programs. According to The Huffington Post, Rep. Adam Schiff (D-CA) is preparing legislation that would create a privacy advocate to appear in front of the Foreign Intelligence Surveillance Court. This newest draft is the third proposal in Schiff’s push to reform the FISA court. He has also drafted laws “to declassify and publish the court’s opinions and to shift the power to choose its 11 judges from the Supreme Court’s chief justice to the president,” the report states.

US – CA Ballot Initiative Could Establish “Very Different Set of Privacy Rules”

A former California state senator and a trial lawyer have filed a “potentially revolutionary draft ballot initiative” with the California Attorney General’s Office, writes DLA Piper’s Jim Halpert for Technology’s Legal Edge. The initiative would restrict business and government disclosures of a broad range of personally identifiable information, Halpert writes, which could only be disclosed in narrow circumstances. If voters approve the initiative, California’s constitution would be amended to include “a very broad opt-in privacy regime with narrow exceptions…bringing to California a very different set of privacy rules than apply anywhere in the United States.” It would result in major cost increases for both business and government operations, Halpert writes. Full Story

US – States Reviewing Policies Due to Anonymity Concerns

Some U.S. state are reviewing their policies on the collection and sale of health information based on concerns around patient anonymity in publicly available databases of hospital records, Bloomberg reports. Washington, for example, has suspended distribution of such information and requires buyers to sign a confidentiality agreement, after it was revealed some patients of hospitals in the state could be identified by name and their conditions exposed. Tennessee, Nevada and Arizona have begun privacy audits, and California, Illinois, New Jersey, Massachusetts, Connecticut, Nebraska and Alaska already have reviews under way. While health care providers are forbidden from releasing patient information under HIPAA, states are exempt from the law. Full Story

UK – ICO Says License-Plate Cameras Broke Law

The Hertfordshire Constabulary’s use of seven cameras to monitor traffic coming and going from the town is against the law, reports BBC. The force failed to carry out a privacy impact assessment, and according to the head of enforcement at the Information Commissioner’s Office, “The use of ANPR (automatic number plate recognition) cameras and other forms of surveillance must be proportionate to the problem it is trying to address. After detailed inquiries…we found that this simply wasn’t the case in Royston.” The police have been ordered to remove the cameras unless they can justify the use.

CN – Chinese Ministry Issues Telecom, ISP Privacy Rule

The Ministry of Industry and Information Technology of the People’s Republic of China has issued a new rule entitled Provisions on the Protection of Personal Information of Telecommunications and Internet Users, reports Hunton & Williams’ Privacy and Information Security Law Blog. The rule aims to implement the requirements of last December’s Decision on Strengthening Protection of Online Information, and is in keeping with the nation’s push toward protecting personal information. The rule imposes requirements on the collection and use of personal information by telecommunications and Internet service providers including collection limitations, use limitations, access and correction rights and breach notification.

UA – Federal Law in UAE: Photo and Video Without Consent Is Illegal

After the arrest of an official for assault, the official’s family has filed a case against the person who videoed the attack on the grounds of privacy invasion, reports Emirates 24/7. The cameraman has been arrested under Article 378 of the penal code, which makes publishing by any means material of an individual’s private life against the law. “It is not allowed for anyone to film others without the permission of the public prosecutor, or with the written permission of the person(s) who appear in the pictures. In this case it will be considered a violation of privacy,” said Major General Khamis Mattar Al Muzinah, acting chief of Dubai Police, adding, “At modern times in my view this law is highly significant in protecting a person’s private/family affair.”

Workplace Privacy

US – CIO Council Issues Social Media Guidance

The CIO Council has issued guidance calling on government agencies to be transparent about their use of social media. The guide, Privacy Best Practices for Social Media , states, “By being transparent about what type of information the agency is collecting and how it is collecting it, the agency can help minimize the public’s concern that the government is monitoring individual speech and actions on social media.” The guide offers best-practice advice on establishing a social media program and using social media for information sharing, among others. The guide recommends limiting “information gathering to facts surrounding an event” and collecting PII only “in very limited situations,” the report states. [GovInfoSecurity]

US – Survey: Employees Mistrust Policies; Some Orgs Don’t Have Them At All

An online survey of almost 3,000 employees in the U.S., UK and Germany showed that when it comes to “bring your own device (BYOD),” only 30% said they trust their employer to keep personal information private and not use it against them. The survey indicated a level of confusion over what constitutes personal information. Meanwhile, ZDNet cites Acronis’ 2013 Data Protection Trends Research report indicating the majority of Australian organizations don’t have a BYOD policy and 33% don’t allow personal devices into the corporate network. [The Telegraph]

 

+++

01-15 July 2013

Biometrics

NZ – Privacy Issues Raised In Face Recognition for Problem Gamblers

The Department of Internal Affairs says the use of facial recognition technology for problem gamblers at gaming machines raises privacy issues. The technology, developed by the company Positive Outlook, takes photos at the machines and locks them down when an excluded gambler approaches. It is being trialled at a Hamilton pub and may be used at other pubs and clubs around the country. Regulatory services general manager Maarten Quivooy says significant issues need to be worked through before the technology is used more widely, as there are concerns about who manages and has access to the database that stores people’s images. He says there are also questions about the speed and level of accuracy of the camera technology, and the cost. Positive Outlook says the technology does not breach privacy. A company director, Bruce Tevarthen, says as it is an opt-in system, only images of those who have elected to formally enrol are held. He says the images database is administered by an independent party. [Source]

Canada

CA – Canadian Senate Remands Bill C-377

On June 26, Liberal, Conservative and Independent senators joined together in a rare demonstration of non-partisan co-operation to amend Bill C-377, a private member’s bill that would have forced labour unions to publicly disclose an unprecedented amount of personal information relating to individual Canadians and businesses, and post them, with names, on the Internet. The Privacy Commissioner of Canada testified that this would be a “significant invasion of privacy.” We were told repeatedly by constitutional experts that the bill was unconstitutional, that the issues addressed fell within provincial jurisdiction, and that we would be exceeding our constitutional jurisdiction if we passed it. Five provinces told us the bill should not proceed. These were governments of every political stripe — Liberal, NDP, Parti Québécois and Conservative. Together, they represented more than 70 % of the population of Canada. They told us the bill could destabilize labour relations in their provinces; one minister said it would be “a grenade in the room of collective bargaining.” A Senate committee sat for three weeks of hearings studying Bill C-377. They heard from 44 witnesses. The overwhelming weight of the evidence was that the bill was deeply flawed. Many Canadians have written to applaud the actions of the Senate in amending the bill and returning it to the House of Commons for further consideration. They say it demonstrates exactly why the Senate exists, and the importance of sober second thought. [Source] See also

CA – Supreme Court Will Hear Case Dealing With Privacy Rights for Cellphones

The Supreme Court of Canada is taking on the question of whether police can access information on a cellphone that isn’t protected by a password. The court has agreed to hear an appeal from Kevin Fearon, who was arrested after an armed robbery in Toronto in 2009. Police obtained photos of a gun and cash, as well as a text message about jewelry, after taking a closer look at Fearon’s phone, which was unlocked. After he was convicted, Fearon appealed, arguing that police breached his rights when they examined the phone after his arrest. The Ontario Court of Appeal said it was all right for the police to look through the phone in a cursory fashion to see if there was evidence relevant to the crime, but after that they should have stopped to get a search warrant. Had the phone been password-protected or otherwise locked to anyone other than its owner, “it would not have been appropriate” to look through the phone without a search warrant. The appeal judges referred to a decision in a murder case in which the judge did not allow evidence from a personal electronic device because it “functioned as a mini-computer,” which has a high expectation of privacy. The contents of that device were only extracted by a police officer using specialized equipment, the judges noted. “There was no suggestion in this case that this particular cellphone functioned as a ‘mini-computer,’ nor that its contents were not ‘immediately visible to the eye,’” the court said in its ruling. “Rather, because the phone was not password-protected, the photos and the text message were readily available to other users.” Defence lawyer Sean Robichaud said that approach failed to take into account the amount of information many people keep on their cellphones these days. Fearon also appealed over the issue of access to a lawyer, saying he was left in an interview room for five hours without an opportunity to contact counsel. The Supreme Court, however, said the appeal will be limited to the cellphone issue. [Source]

WW – International Privacy Coalition Call on the EU to Increase Data Protection

In response to revelations regarding PRISM and related surveillance programs, privacy advocates from the U.S., Canada and Europe have issued a consensus statement calling on the EU to increase data protections. The EU’s data protection framework has been a model of privacy protection for many countries in the world, including Canada. The EU framework gives citizens vastly more privacy protections than citizens have in the US. The EU is currently reforming its data protection framework and the US is lobbying heavily to see EU privacy protections eroded. Gathered in Washington, DC for the conference on Computers, Freedom and Privacy (CFP), a dozen groups from both sides of the Atlantic joined the “Washington Statement,” including the American Civil Liberties Union (ACLU), the Electronic Privacy Information Center (EPIC), European Digital Rights (EDRi), Privacy International, and the British Columbia Civil Liberties Association (BCCLA). The group warned policymakers that “Our common future, on both sides of the Atlantic, needs privacy and a strong European law. We call on European policy makers to defend this human right now, as an essential prerequisite for preserving privacy, freedom of thought and of expression in vibrant democracies.” [Source]

CA – Businesses Push for Freedom to Share Personal Data Across Borders

If business groups in Canada and the United States get their way, new free-trade rules would limit the ability of governments to block cross-border flows of personal and financial data. The Canadian Chamber of Commerce, which speaks for 200,000 businesses across the country, is joining the U.S. Chamber of Commerce to push for new data standards in future free-trade deals, starting with the 12-country Trans-Pacific Partnership. The lobbying push is part of an
effort by the business community to stamp out what it sees as rising “digital protectionism” – everything from Internet censorship to privacy laws mandating the storage of certain personal data within countries. “What we’re seeing increasingly is that governments are trying to impose controls on the flow of data in a variety of ways,” said Perrin Beatty, the Canadian chamber’s president and chief executive officer. [Source]

CA – Media Trampled on Terror Suspects’ Rights: Civil Liberties Group

The mob of reporters and photographers that swept through the suite of a Surrey, B.C., couple charged in the alleged Canada Day terror plot had no legal right to snoop through their home, according to the BC Civil Liberties Association (BCCLA). Two days after Mounties arrested Amanda Korody and John Nuttall, their landlord allowed media members to walk freely through the basement suite. A QMI Agency staffer who went into the house twice witnessed a reporter rifling through a notebook belonging to the couple and videotaping pages. He also noticed things were moved after his initial visit — drawers and closets were opened and artifacts appeared rearranged and grouped. The QMI Agency legal team advised the newsroom to refrain from publishing photos from inside the house. BCCLA executive director Josh Paterson said no one should have been in the house in the first place, as there’s only a handful of specific reasons a landlord can legally enter a suite. “They can do it if there’s an emergency, they can do it if they have to show the unit, or if the tenant had abandoned the unit, but there’s no information here to suggest any of those things are true,” he said. “Just because you got arrested and maybe put in jail, doesn’t end your residential tenancy. That’s a whole separate process. [Source]

CA – Canadian Retailers Using Postal Code Information to Target Customers

In line at the cash at the LCBO, Ikea or Walmart, the cashier takes your card and asks for your postal code. Why is she asking? What should you do? Retailers, including the LCBO and Ikea, say postal code information is collected to fine-tune services for customers, including product selection, and to target flyers to specific neighbourhoods to reduce waste and save money on postal services. But the potential exists for using postal code information to compile personalized mailing lists that can be sold or shared. Data collection and management companies including Harte-Hanks Data Services and Solutions, which operates worldwide, offer businesses the ability to use software to match postal codes with credit card information to come up with unique addresses. “Users simply capture names from the credit card swipe and request a customer’s ZIP code during the transaction. GeoCapture matches the collected information to a comprehensive database to return an address,” according to information posted to the firm’s website. “Works at the point of sale to identify customers, understand purchase behaviour and follow up with dynamic, personalized marketing.” Canadians are more worried than ever about the misuse of their personal information, according to the results of a survey released late last year by the Office of the Privacy Commissioner of Canada. “Seven in 10 think that their personal information has less protection in their daily lives than it did 10 years ago, an increase of 10% since 2011. As well, the majority (56%) are not confident that they have enough information to know how new technologies affect their personal privacy which is the highest expression of a lack of confidence for this question since tracking began in 2000,” the survey found. It also found that Canadians are reluctant to share their personal information with organizations (57% never or rarely do so), and most (60%) have asked for an explanation of how an organization will use their information. No one is obliged to divulge their postal code at point of purchase, says Scott Hutchinson, a spokesman for Canada’s privacy commission office. “People who may wish to entertain the request should be encouraged to ask why the information is needed and what it will be used for; and if they don’t like the answer, they can be equally encouraged to simply just say ‘no,’ ” he says in an email to the Star. [Source]

CA – Ontario Privacy Commissioner Receives Anti-Bully & Online Safety Award

Ontario’s Information and Privacy Commissioner Ann Cavoukian is the latest recipient of the  KnowledgeFlow CyberSafety Champion award for her relentless drive to raise awareness in support of the most important causes affecting youth and families in the information age. “Dr. Cavoukian consistently raises the bar across a number of important domains. Her efforts to curb the victimization of the most vulnerable members of our society is something that we are proud to recognize” said Claudiu Popa, CEO of Informatica Corporation and founder of the KnowledgeFlow.ca Initiative. [Source]

Consumer

US – Americans Divided on Snowden; Young Alito Pushed for Protections

The New York Times reports on a poll indicating division among Americans on whether Edward Snowden is a traitor or a whistleblower. The Quinnipiac University poll indicates the majority of those surveyed—55% —said he was a whistleblower for revealing the National Security Agency’s (NSA) PRISM program, while 34% said he was a traitor. Meanwhile, a report cited in the Electronic Privacy Information Center’s lawsuit asking the Supreme Court to halt the NSA’s surveillance program indicates that Supreme Court Associate Justice Samuel Alito, in his days as a Princeton undergraduate, urged strict safeguards to protect personal privacy online. [Source] [US: Poll Shows Complexity of Debate on Trade-Offs in Government Spying Programs] See also: [Post Mortem, What Happens to Your Account Info?]

US – Complaint Filed Over Jay-Z/Samsung App

The Electronic Privacy Information Center (EPIC) has filed a complaint on Jay-Z and Samsung’s Magna Carta Holy Grail app. “Samsung failed to disclose material information about the privacy practice of the App, collected data unnecessary to the functioning of the Magna Carta app, deprived users of meaningful choice regarding the collection of their data, interfered with device functionality and failed to implement reasonable data minimization procedures,” EPIC said in its complaint, filed July 12. [Arts Technica]

E-Government

AU – Govt Releases Security and Privacy Requirements for Cloud

The federal government has set out provisions for government agencies using cloud without compromising security or privacy. Attorney-General Mark Dreyfus said the policy will help government agencies make decisions around whether to offshore or outsource processes and requires agencies to seek government approval before storing personal information in the cloud. The policy follows the May release of the and the Australian Government Cloud Computing Policy v2.0. Dreyfus said several privacy safeguards have been built into the policy, which has been called the Australian government policy and risk management guidelines for the storage and processing of Australian government information in outsourced or offshore ICT arrangements. Under the policy, approval will be required by both the minister responsible for the information and the Attorney-General before personal information can be stored in the cloud. [Source] See also: [How to address the risks of 24/7 government] and [How Ontario faces big data privacy challenges]

JP – Japan Govt Used Wrong Privacy Settings in Google Groups

Japanese government officials and journalists have mistakenly revealed internal memos, draft stories and interview transcripts by reportedly using the incorrect privacy settings in Google Groups. Yomiuri Shimbun, a Japanese newspaper, reports it found more than 6,000 cases where public or private organizations revealed nonpublic information, including hospital records, via the wrong privacy settings. [ZDNet]

E-Mail

US – Google Glass Privacy Concerns Persist in Congress

U.S. Rep. Joe Barton of Texas says he is “disappointed” in Google’s response to privacy worries caused by the emergence of Google Glass. In a statement released after the Republican congressman reviewed Google’s response to a letter sent to the company by members of the Congressional Bi-Partisan Privacy Caucus — a group set up to examine the privacy issues Google Glass causes — Barton said he believes that the general public needs to be given more choice to ensure their privacy is not violated. In May, congressional leaders wrote to the tech giant to establish what controls will be put in place to protect consumer privacy. Addressed to Google CEO Larry Page, the letter (PDF) questions whether Google Glass will “infringe on the privacy of the average American,” and asks what place facial recognition technology will hold in relation to the headset’s ability to record video and take photographs. Google, in response to the letter, says that “protecting the security and privacy of our users is one of our top priorities,” and one way of doing so is making sure Google Glass requires voice activation to take video footage or shoot images. In addition, Google says that such actions activate the product’s screen, which is a change visible to others. To address facial recognition technology worries — where personal information about others or objects could be revealed without consent — the tech giant says that it “will not be approving any facial recognition Glassware at this time,” and will “prohibit developers from disabling or turning off the display when using the camera.” No changes in Google’s privacy policy are planned with the emergence of Google Glass. Finally, Google says that all files stored on the device will be deletable by users. Headsets can be remotely wiped in the case of loss or theft, and the company is currently experimenting with different ways to “lock” Glass flash memory to secure data. [Source]

US – Google Glasses Secretly Film Arrest

Documentary filmmaker Chris Barrett captured an arrest using Google’s wearable computer during a trip to the Jersey Shore boardwalk on July 4, where he witnessed a fight resulting in police intervention. Barrett filmed the incident without being noticed, the report states. “More notable than the video itself is the ease at which it was captured without the knowledge of those in the middle of the melee. His footage foreshadows the rapidly approaching future where everything can be filmed serendipitously by folks wearing devices like Google Glass without the knowledge of the parties involved,” wrote Thompson Reuters’ Christophe Gevrey. [Business Insider]

Encryption

US – Microsoft Provided NSA More Help Than Previously Disclosed

Relying on NSA documents provided by Edward Snowden, The Guardian reported that Microsoft recently worked with the FBI to help the NSA get around encryption on Microsoft services, such as online chats on Outlook.com, and to monitor conversations on the company’s Skype service. The newspaper also said that Microsoft worked recently with the FBI to streamline the way NSA can access users’ files on SkyDrive, Microsoft’s online document storage service, when Microsoft is required to provide that information for foreign-intelligence purposes. Microsoft said it doesn’t provide governments with blank or direct access to Microsoft services. [Wall Street Journal]

IN – Indian Govt Can Now Intercept Consumers’ BlackBerry Communications

BlackBerry has come to an arrangement with the Indian government to allow “lawful interception” of communications in realtime. The system allows the Indian government to track consumers’ communications sent to or from any Blackberry device, regardless of whether the message has been delivered or read. The system does not include corporate email messages sent over BlackBerry Enterprise Server. News of the arrangement has raised questions among analysts about whether the Indian government will now turn its attention to Apple, whose iMessage and Facetime services use end-to-end encryption. [ZDNet] [BBC.co.uk]

EU Developments

EU – European Parliament Demands Information on PRISM

The European Parliament has passed a resolution demanding that the US government provide “full information on PRISM and other such programmes involving data collection.” In addition, the European Parliament Civil Liberties Commission has voted to launch an “in-depth inquiry” into privacy and civil rights issues for EU citizens raised by PRISM. The Parliament is calling on member nations to consider putting a hold on counter-terrorism data transfer agreements with the US until the data are better protected. [ComputerWorld] [WashingtonPost] [Europarl] [[Europarl]

EU – EU Special Committee to Investigate Spying Reports

As headlines continue to abound regarding concern from EU officials and member states, EurActiv reports the European Parliament “plans to establish a special committee to investigate reports that an American spy agency monitored phone calls and e-mails of EU institutions and some member states.” The panel, which will be established as part of the Committee on Civil Liberties, Justice and Home Affairs, will deliver its report by year’s end and “formulate proposals on adequate redress measures in case of confirmed violations and put forward recommendations to prevent that similar espionage events happen in the future,” the report states. Following communication with U.S. Attorney General Eric Holder, Justice Commissioner Viviane Reding said, “The U.S. appears to take our concerns regarding PRISM seriously,” noting Holder has committed to setting up an expert group “to assess the matter in detail…and the group will have its first meeting this month and a second one in Washington in September.” Meanwhile, in a TechNewsWorld interview, Oxford Prof. Viktor Mayer-Schönberger opines, “People feel they have been deceived; people feel that they cannot trust the U.S. government.” [Source]

EU – EU Wants Data Protection Bill by May 2014

EU Justice Commissioner Viviane Reding is calling to accelerate movement on the data protection bill currently stuck in the European Parliament’s civil liberties committee. “I would find it helpful if the European Council in October, which will deal with the European single market, could address this matter and speed up the work in the council on this important file,” said Reding in her appeal on Monday. Meanwhile, Hogan Lovells’ Christopher Wolf opines in Financial Times that “it is wrong to assume the U.S. is the worst regarding surveillance,” arguing that Europe does its fair share. [EUObserver] SEE ALSO: [Breach Requirements Are Coming: Roundup]

EU – Netherlands: The Dutch Cookie Monster

On June 5, 2012 new Dutch legislation on the use of cookies entered into force. This new regime, which introduces a requirement for informed consent based on an opt-in system, has major implications for online advertising companies focusing on Dutch customers. To implement Directive 2009/136/EC [ePrivacy Directive], the law regarding cookies in The Netherlands has now been revised to include a consent that should be given explicitly by the internet-user in cases of “third party” and “tracking cookies”. The same requirement of explicit consent applies should a provider want to place cookies for online behavioural advertising purposes. [Source]

EU – Majority of Retailers Say New Rules Will Harm Business

More than two-thirds of online retailers say proposed changes to EU data protection rules will damage business. That’s according to a recent survey by the European Multi-channel and Online Trade Association, which represents more than 80 percent of EU online traders, the report states. The survey polled 90 companies from the UK, Germany, Austria, France, Sweden, Switzerland, Greece and Spain. [EurActiv]

EU – Sky Deutschland to Broadcast Ads Directly into Train Passengers’ Heads

Sky Deutschland has developed technology to transfer adverts from train windows directly and silently into commuters’ heads. Passengers leaning their head against the window will “hear” adverts “coming from inside the user’s head”, urging them to download the Sky Go app. The proposal involves using bone conduction technology, which is used in hearing aids, headphones and Google’s Glass headset, to pass sound to the inner ear via vibrations through the skull. BBDO spokesman Ulf Brychcy told the BBC: “If our customer Sky Deutschland agrees, we will start with the new medium as quickly as possible. [Source]

EU – Dutch DPA Rules Against Mobile Telcos

The Dutch Data Protection Authority (DPA) has found that four mobile phone operators–KPN, Tele2, T-Mobile and Vodafone–violated Dutch laws regarding user data retention and anonymization. According to the regulator’s study, which began in 2011, the companies failed to delete or anonymize data such as websites visited and apps used as quickly as possible, as regulations require. Of the four, KPN is reportedly the only operator to have resolved each of the issues identified by the investigation. The others claim to be actively addressing the issues in cooperation with Dutch regulators. Meanwhile, Bird & Bird’s Berend van der Eijk has said a bill proposing fines of up to €450,000 for public and private organizations that fail to meet notification requirements “is very likely” to pass, noting the earliest it would enter “into force would likely be 1 July 2014, or more realistically, 1 January 2015.”

CH – Swiss DPA Releases Annual Report

Switzerland’s DPA has issued its 20th Report of Activities, covering the timeframe of April 2012 to March 2013. Hunton & Williams’ Privacy and Information Security Law Blog details the report’s focus on several data protection issues including employer monitoring of employee behavior at work, businesses’ social media and loyalty program analytics and whistleblowing provisions.

EU – Regulators Prepared to Take Action Against Google

The UK Information Commissioner’s Office (ICO) has written to Google to warn the company that it could take “formal enforcement action” if it does not alter its privacy policy by September 20. “In our letter we confirm that its updated privacy policy raises serious questions about its compliance with the UK Data Protection Act,” an ICO spokesperson said. The updated policy “does not provide sufficient information to enable UK users of Google’s services to understand how their data will be used across all of the company’s products.” Meanwhile, Hamburg Commissioner for Data Protection and Freedom of Information Johannes Caspar says his office will join other European regulators, including Spain, in taking action against the company. [Out-Law.com]

EU – DPA Asks Facebook for Clarifications

The Italian Data Protection Authority, the Garante, is requiring Facebook to provide clarifications by July 20 on personal data processing following recent announcements of a “bug” that cause the exposure of personal information. Panetta & Associati Studio Legale’s Rocco Panetta writes, “Facebook has already assured that the unwanted data processing has occurred due to a mere technical bug.” Despite that, he notes, the Garante is requiring confirmation on six points, including the duration of the event and measures taken to resolve the issue. [Privacy Advisor]

EU – Twitter Gives Anti-Semitic Posts to Authorities

Microblogging site Twitter has complied with a French court’s request to hand over tweets related to a number of racist and anti-Semitic messages that were posted on its site. An appeals court ruled last month that the company must hand over the names of the users propagating the anti-Semitic messages, raising the thorny issue of online anonymity and hate speech. Twitter said in a statement that handing over the data will “put an end to the dispute” and that it will work with the Union of Jewish French Students to “fight racism and anti-Semitism.” [CNET News]

Facts & Stats

US – California AG Breach Study Highlights Importance of Encrypting Data

A report from California’s attorney general found that in 2012, 2.5 million California residents had their personal information compromised in the 131 security breaches that were reported to the AG’s office. The report also notes that had companies encrypted their stored data, 1.4 million people would not have had their personal information exposed. Under state law, breaches do not need to be reported if the data affected are encrypted. [SCMagazine] [Press Release] [California’s first data-breach report finds 131 incidents hit  2.5 million citizens] and [NZ: Privacy breaches already at 20]

Filtering

WW – Visa and Mastercard Blocking Payments to Some VPN Providers

Swedish online payment service provider PaySon says that Mastercard and Visa have ordered the company to stop allowing payments to some virtual private network (VPN) providers and anonymization services. The new focus on VPNs and anonymization services appears to be directed at five companies that have been linked to P2P piracy. In a related story, WikiLeaks says that its Icelandic payment processor, Valitor, is once again accepting donations from credit cards for the organization. In 2010, Mastercard and Visa ordered payment processors not to process payments to WikiLeaks. An Icelandic court ruled recently that Valitor must resume processing payments to WikiLeaks. [TechEye] [The Register] [TechDirt] [ArsTechnica] [Reuters]

Finance

WW – Privacy Concerns out of M-Pesa Mobile Banking

The mobile phone-based money transfer system M-Pesa, which has brought mobile banking to the poor in Kenya, can be used to identify unsuspecting users, potentially compromising their privacy. Grace Githaiga, a Nairobi-based ICT expert, said in order to use the system, a user must submit their ID card number and address, which in turn are transferred to an M-Pesa agent. According to Githaiga, it’s not clear where the data ends up. Additionally, a loophole in the system means users can identify other users who might otherwise wish to remain anonymous. She notes that Kenya does have pending data protection legislation, though not an existing law, “but that tells you that there’s debate around data protection, and some of these things are going to be raised in that bill.” [Deutsche Welle]

CA – Privacy Debate Looms as Canada Prepares to Share Bank Data with U.S.

Tightening tax evasion versus protecting personal privacy looms large for Canada as it prepares to announce a deal with the United States to share banking information. The arrangement would allow Ottawa to soften the blow for Canada – and the roughly one million Americans who live here – when it begins complying with the more controversial aspects of a sweeping new U.S. law that takes effect on Jan. 1. The Foreign Account Tax Compliance Act (FATCA) was signed into law in March 2010, and many of its provisions start on Jan. 1, 2014. It requires financial institutions in other countries to tell the U.S. Internal Revenue Service about Americans’ offshore accounts worth more than $50,000. Canada and the U.S. are negotiating whether Ottawa or the financial institutions will send the information, but the clock is ticking. If no deal is reached, banks operating in Canada will have to give the data directly to the IRS. Canada and the U.S. already share financial information to track activity like money laundering and terrorist financing, but the U.S. tax act creates a need to sort out exactly what will be shared and how.  Canadian banks have urged Ottawa to take on the reporting duties through the Canada Revenue Agency, which could ensure that privacy laws are respected when information is sent south of the border. Over the past year, the U.S. has signed bilateral deals to enforce the act with Germany, Japan, Spain, Norway, Switzerland, Ireland, Mexico, Denmark and the United Kingdom. The FATCA has created considerable concern for Americans in Canada, given that many have long ignored a U.S. rule requiring citizens to file annual tax returns even if they are not earning income in the United States. The leaders of the G8 recently pledged support for the automatic transfer of financial information to crack down on global tax evasion. “The privacy implications of FATCA in Canada will depend on the details, which have yet to be determined,” said the federal Privacy Commissioner’s office. “Many of the people who have contacted us have expressed concern about their personal information being shared with U.S. authorities.” That concern is warranted, said Queen’s law professor Arthur Cockfield, who specializes in tax law. “No foreign government should be able to come into our country and demand personal information about our own citizens and residents,” he said, noting that the negotiations are aimed at smoothing over this problem by ensuring exchanges are mutual and at the government-to-government level.  “There’s really been a conceptual shift around FATCA in the last, say, three or four months,” he said. “It was mainly hated by Canada and at least some European governments.” Mr. Cockfield said stories on tax evasion by the International Consortium of Investigative Journalists, which began in April and for which he provided commentary, have clearly changed the international political scene as European leaders began promising automatic exchanges like FATCA. [Source]

FOI

US – US Justice Department Revises Policies on News Media Data Seizure

Revised guidelines from the US Department of Justice limit the government’s access to journalists’ records except in cases in which the journalist is the subject of a criminal investigation. Ideally, journalists are protected by the First Amendment regarding freedom of the press and the Fourth Amendment regarding unreasonable search and seizure, as well as the privacy Protection Act and other laws. The need for a revised and clarified policy became evident when the government launched an inquiry that characterized a journalist as a spy, criminalizing his efforts to obtain information from a source; and when the government obtained phone records for AP journalists. [Information Week] [Justice.gov]

US – NY Court Takes Up Teacher Pension Privacy Issue

New York’s highest court will soon decide whether the names and benefits of retired teachers in public pension plans should be made public. The Empire Center, a project of the fiscally conservative Manhattan Institute think tank, was denied the names by the state and city teachers’ retirement systems under the state Freedom of Information Law. In refusing to release the information, the teacher pension systems cited a recent court decision that protects police retiree names. Lower courts agreed with that privacy argument, and the Empire Center appealed to the Court of Appeals, which accepted the case last week. The Empire Center collects such data for its own research, for news media and for private individuals to track how public money is spent and to help identify any abuses. The center doesn’t seek addresses or other data from the records, which were once provided by the retirement systems as public documents. Arguments are expected within weeks; a decision could come weeks later. Empire Center Director Timothy Hoefer said the Court of Appeals decision to take the case is seen as a “ray of hope for public transparency.” [Source]

Genetics

WW – Little Debate on Privacy as DNA Collection Flourishes

The collection of DNA by governments around the world is flourishing but there is a lack of public debate about the privacy and ethical issues raised by such collection. Yaniv Erlich of MIT’s Whitehead Institute for Biomedical Research said there is a lot of upside to having DNA databases, but said, “our work shows there are privacy limitations.” Others have warned of “mission creep” where law enforcement use DNA to gather data on racial origins, medical history and psychological profiles. A University of Baltimore forensics professor said, “There’s got to be a debate… Do we want to have a society where 5% of the crime is unsolved, or do we want to have a society where 100 percent of the crime is solved” but privacy goes extinct? “What’s the trade-off?” [The Associated Press] [Spread of DNA databases sparks ethical concerns]

WW – Privacy and the Family Genetic Inheritance

In this audio episode of Family Caregivers Unite, Dr Gordon Atherley interviews Ma’n Zawati, LLB, LLM, a lawyer and Academic Coordinator of the Centre of Genomics and Policy at McGill University. He shares his personal story, describes his research and work as a lawyer, and explains the Centre’s research regarding family genetic information. He discusses protections provided by privacy and security laws against theft and disclosures of our genetic information that could be harmful to us. He suggests ways in which the principles underpinning laws could be improved so our genetic information and that of our families can be better protected. He says what more he wants to do and see done by governments to improve laws to protect against abuse of our and our families’ genetic information. He says what more help is needed by individuals and their families so they can understand and speak about their fears of the risks of abuse of their genetic information. He shares his message for family caregivers. [Source]

US – Court Ruling On DNA Swabs Worries Local Privacy Advocates

A major decision handed down by the Supreme Court puts the right to privacy up for debate. The court ruled it is ok to take a DNA mouth swab from a person simply while under arrest to see if they could be connected to unsolved crimes. Law professor and defense attorney Richard Kling calls it a “dangerous precedent” but admits a mouth swab is just like a fingerprint. “With no probable cause and with no warrant and no consent, you can now be forced to give a DNA swab which can be used to investigate you for anything and everything — regardless of whether you’re under suspicion,” said Kling. “It creates this massive database nationally of DNA,” said Ed Yohnka of the ACLU. “It opens up all kinds of opportunities for discrimination, denials for other kinds of mistreatment that frankly we shouldn’t do because government shouldn’t have the information in the first place,” said Yohnka. [Source]

Health / Medical

US – Workers Fired Over Kardashian Breach

Five healthcare workers from Cedars-Sinai Medical Center—a common destination for celebrities seeking medical treatment—have been fired for unauthorized access to 14 patient records, including those of Kim Kardashian. Representatives from the organization said they have a “high standard for security” and “in this case that standard was violated.” In other breach news, the personal records of as many as 277,000 former patients of a North Texas hospital were found in a Dallas park and included contact details and SSNs. And Long Beach Memorial Medical Center has notified 2,864 patients their medical records have been compromised. Reports state the breach stems from an internal employee but no further details have been issued thus far. [Reuters] See also: [NZ: Ryder’s privacy breached during hospital stay – investigation] and [Florida Department of Health sweeps confidential Rx data leak under rug] and [US:  Fort Worth Hospital Notifies Patients from 1980 to 1990 of Potential Records Privacy Issue]

US – Health Sites Under Scrutiny Over Mining of Data

Illinois Attorney General Lisa Madigan’s recent inquiry into the data-mining practices of popular health websites such as WebMD and Health.com. Madigan has sent letters to the sites’ executives citing concerns about the dissemination of data related to web surfers’ health-related searches, the report states. “Health-related information, which would be protected from disclosure when said in a doctor’s office, can be captured, shared and sold when entered into a Web site,” Madigan wrote, adding that consumers likely overlook such concerns if information on disclosures is buried in privacy policies. One researcher recently found third-party entities often track patients searching health-related terms. [The New York Times] See also: [Privacy, security concerns of enabling patient access to PHI]

US – Digital Diapers Track Children’s Health

Newly developed baby diapers complete with digital tracking technology can detect potential urinary tract infections, kidney dysfunctions and dehydration. Developed by Pixie Scientific, the diaper connects to a smartphone app and can transmit the health data to a central database where a physician can interpret the information. The technology is currently being tested by a number of children’s hospitals and, if successful, would then be submitted to the U.S. Food and Drug Administration for approval. Pixie Scientific’s founder said, “You really don’t want to overload parents with data they don’t understand…Eventually, the quantified self idea will be mostly silent and unobtrusive, just something inside the existing flow of life.” [The New York Times]

Horror Stories

US – WellPoint to Pay US $1.7 Million for HIPAA Violations

The U.S. Department of Health and Human Services (HHS) has announced that insurance provider WellPoint has agreed to pay a $1.7 million fine for inadequately protecting a database containing more than 600,000 personal records, according to an HHS press release. Between October 2009 and March 2010, the health data of 612,402 individuals—including names, addresses, birth data and Social Security numbers—was accessible online. The investigation revealed WellPoint “did not have adequate policies and procedures for access to the online application database” that was breached and did not have “technical safeguards” in place for access verification. WellPoint was ordered to pay US $100,000 to the state of Indiana to settle charges resulting from a breach that exposed personal information of 32,000 Indiana patients. [SC Magazine] [ComputerWorld] [BusinessWire] [IT World] See also: [North Carolina: Some security experts criticize Blue Cross’ handling of private data] [Wyndham, LabMD Cases Challenging FTC: Two cases could disrupt FTC’s data security authority]

UK – ICO Fines NHS Surrey Over Patient Data on Resold Hard Drive

NHS Surrey has been fined GBP 200,000 (US $302,000) over data remaining on a hard drive sold on eBay. The storage device held records of nearly 3,000 patients and had been given to a third-party for secure destruction. The drive in question was in a PC that was part of a lot provided to the data destruction company. All the hard drives and data were supposed to be destroyed, and the company had provided certificates saying that the actions agreed upon had been taken. The ICO chastised the hospital for providing inadequate oversight of the data destruction company. [TechWorld] [v3.co.uk]

UK – Sony Drops Fine Appeal

Sony has abandoned its appeal of a GBP 250,000 (US $376,000) fine imposed after a 2011 PlayStation Network (PSN) hack. The UK Information Commissioner’s Office (ICO) fined Sony in January 2013, after finding the company negligent for inadequately protecting PSN user data. Sony initially said it would appeal the fine, but has since changed its position, citing the company’s “commitment to protect[ing] the confidentiality of [its] network security from disclosures in the course of the proceedings.” Sony has stated that it remains opposed to the decision. [BBC.co.uk] [v3.co.uk]

WW – Data Breach Roundup

Four million members of Club Nintendo—Nintendo’s member website—have had their names and contact information illegally accessed, according to the videogame maker. The company has been quick to note that is has not confirmed misuse of this information. “Nintendo confirmed there had been around 15.46 million fraudulent login attempts from June 9 through (last) Thursday, of which 23,926 were successful,” The Japan Times.

An employee at Guilford County Schools in North Carolina sent a PDF containing the names, addresses, grades and other records of 456 rising seniors at Page High School to a student’s guardian. The school district reports that the breach was accidental and was quickly identified and investigated.

Indiana’s Family and Social Services Administration began notifying some 187,533 individuals that the state agency accidentally disclosed their personal information, monthly benefit amounts, some medical information and even Social Security numbers to members of the public. The breach allegedly stemmed from a computer programming error.

Morningstar revealed that it suffered a breach last April, compromising personal information and credit card details from some 2,300 users of its investment research service, Morningstar Document Research. Morningstar further warned that the passwords and e-mail addresses of some 182,000 users may have been illegally accessed. The AP reports that Morningstar offered affected customers a year of free identity protection services.

The Information Commissioner’s Office (ICO) could impose a fine of up to 200,000 GBP on Herefordshire Council following a breach that was reportedly “so sensitive that to reveal its details also risks breaching the Data Protection Act.”

Pulse, a weekly medical publication, published survey results showing that the number of data breaches at 55 UK hospitals increased 20% year-on-year through June 2013. Many of the reported breaches were one-off incidents, giving rise to the possibility that the increase might reflect more thorough reporting practices and awareness rather than increased data theft or inadequate security.

In breach litigation in the U.S., the Tennessee Court of Appeals ruled that a lawsuit stemming from the hacking of Copper Basin Federal Credit Union’s computers can move forward. The lawsuit alleges that the hacking and the resulting illegal transfer of funds was a result of negligence by Fiserv Solutions, a contracted technical support provider. The complaint claims that Fiserv failed to activate the antivirus firewall and protection software it required the credit union to purchase as part of its service contract.

In Missouri, the Office of the Attorney General has determined Schnuck Markets Inc. did not violate Missouri data security law, St. Louis Business Journal reports, noting the determination follows an investigation into a widespread data breach at Schnucks.

The Federal District Court for the Middle District of Florida threw out a class-action lawsuit alleging that employees at Adventist Hospital System’s Florida Hospital Celebration sold patients’ PHI. The dismissal for lack of subject matter jurisdiction notes that as HIPAA/HITECH does not provide for a private right of action, just a regulatory penalty, there was no sufficient federal issue to justify a hearing in federal court. State law, however, may accord the plaintiffs an avenue to pursue their claims.

ID Experts has compiled 12 “top trends in data breach, privacy and security” as enumerated by some of the top minds in the field. Advanced persistent threats—long-term, undetected hacks—and globalized data thieves top the list. A colorful infographic makes things easy for those who want to do less reading. Meanwhile, Corporate Counsel offers advice for communicating with customers following a breach incident.

The University of South Carolina has sent letters to 6,300 students whose personal information may have been on a stolen laptop, Greenville Online reports. The information included Social Security numbers. The school is currently working toward a new cybersecurity program.

A Virginia trooper has been indicted on one felony and eight misdemeanor counts of computer invasion of privacy based on allegations she was improperly using the Virginia Criminal Information Network.

Personal information stolen from Michigan Department of Community Health website: Thieves have obtained the personal information of about 49,000 individuals from Michigan Department of Community Health records, a department spokeswoman confirmed.

Game company Ubisoft has announced its systems have been breached by cybercriminals, recommending users change passwords immediately. The attack divulged user names, email addresses and encrypted passwords, Ubisoft said. The company said it does not store payment information. [Source]

Identity Issues

US – Internet Groups Complain About COPPA Compliance Costs

Internet groups have complained to the FTC that new regulations to protect children’s privacy online are financially burdensome to start-ups. The regulations went into effect July 1 and not only hold sites and apps that collect data from children under 13 responsible for ensuring parental consent but also for any affiliated third-party services collecting data on their sites. The FTC estimates annual compliance costs for current web services at $6,223 and new services at $18,670. The report states 85 to 90 percent of the web services are run by small businesses. [Los Angeles Times]

US – The USPS Is Selling Data to Brokers

The United States Postal Service (USPS) has a relationship with various data brokers. According to the report, the USPS will sell change-of-address information to a data broker provided the firm purchasing the data has the user’s previous address. The USPS National Change-of-Address program (NCOA) approves licenses to approximately 500 companies. “There’s nothing terrible about NCOA, but people should be given a choice,” said privacy expert Bob Gellman. “New movers are fodder for data brokers, who sell mailing lists to marketers and who also maintain lifetime files on every household in America. NCOA is a prime source of this information.” There is, however, a loophole for consumers that prevents data brokers from accessing the updated address. [Forbes] See also: [US: Is IRS Legally Free to Expose Private Info?]

CA – Canadian ePassports Arrive July 1

Starting July 1, Canadians will receive a redesigned ePassport featuring several new security and anti-counterfeiting measures, including an electronic chip that stores the user’s personal information. Travellers are not required to replace their current passports. Older passports will remain valid until their stated expiry date, Passport Canada says. Addressing privacy concerns, the agency says the passport chips can only be read from a 10-centimetre range, making it unlikely that the chip can be read without the user’s knowledge.  Canada is the last G7 country to adopt chip-enhanced passports; over 100 countries, including the U.S., France, Germany and the U.K. already employ ePassports. [Source]

US – Equifax Credit Agency Snags TrustedID

Equifax, one of the three largest U.S. credit-reporting agencies, has acquired TrustedID, which specializes in identity protection. The terms were not disclosed in Monday’s announcement, but AllThingsD pegs the price at about $30 million. Palo Alto, Calif.-based TrustedID, which was founded in 2004, will become part of Equifax Personal Solutions, its direct-to-consumer business unit. Equifax’s interest in the smaller company is threefold: its technology is robust, its existing partner relationships (for example, its exclusive deal with AARP) are coveted, and Equifax’s own credit and identity products could use reinforcement. TrustedID’s data protection abilities reach far, from social media to snail mail. Equifax has previously indicated that it sees the personal data security market as a growth opportunity. [Source]

JP – Train Operators’ e-Ticket ‘Big Data’ Sale Sparks Privacy Backlash

Last week, JR East – Japan’s largest train operator – and Hitachi made a seemingly nondescript announcement that East Japan Railway was selling the anonymized e-ticket histories of millions of passengers as marketing data, and it almost did not get noticed. A few prominent bloggers then highlighted the fact that this is the first time that e-ticket transaction histories would be sold to third parties as marketing data, sparking a storm of discussion that has now spilled over to social networking sites. JR East continues to argue that the data is mostly anonymous. “There is no way to determine the identity of specific individuals from the data, so we feel there is no privacy issue.” [Source]

Internet / WWW

US – Utah ISP Won’t Share Your Data Without a Warrant

A tech company operating in Utah that has spent the past 15 years “resolutely shielding customers’ privacy from government snoops in a way that larger rivals appear to have not.” Xmission is Utah’s first independent and its oldest Internet service provider and has only 30,000 subscribers, but it has cited the Fourth Amendment in order to rebuff dozens of warrantless requests from local and federal law enforcement authorities. “I would tell them I didn’t need to respond if they didn’t have a warrant, that to do so wouldn’t be constitutional,” said Founder and CEO Pete Ashdown. “I’m not an unpaid branch of the government or law enforcement.” [The Guardian]

US – Researcher Finds Health-Related Searches Threaten Privacy

A researcher at the University of Southern California says patients searching for health-related information online may have their privacy threatened. Marco Huesch searched key terms such as “depression,” “herpes” and “cancer” on health-related websites. Using free privacy tools such as DoNotTrackMe and Ghostery, Huesch found third-party entities tracking him. Sampling 20 high-traffic sites, including the Food and Drug Administration and WebMD, at least one third-party entity—and as many as six or seven—were tracking him on each site, he found. Additionally, 13 out of 20 sites contained third-party elements that tracked user data, and seven of those 13 leaked Huesch’s searches to tracking entities, the report states. [AFP] SEE ALSO: [Stalkers use online sex ads as weapon]

WW – Visualizing Your Metadata

The New York Times reports on Immersion, an MIT Media Laboratory project that mines a consenting user’s e-mail metadata and creates an interactive graphic. “The result is a creepy spider web showing all the people you’ve corresponded with, how they know each other and who your closest friends and professional partners are,” the report states. Meanwhile, a German politician who sued a telecommunications company for his phone data over a six-month span has, in conjunction with ZEIT ONLINE , created a mapped visual of his day-to-day life. By combining Green Party Politician Malte Spitz’s phone data, which includes location information, with publicly available data—including information relating to his political life, Twitter feeds and blog entries—a robust and detailed interactive portrait emerges of Spitz’s personal movements. [New York Times] SEE ALSO: [You may already be a winner in NSA’s “three-degrees” surveillance sweepstakes!] and [UK Businesses Get Creative With Consumer Data at the ‘MIDATA’ INNOVATION LAB Launch] [Internet inventor Vint Cerf: No technological cure for privacy ills]

Law Enforcement

US – Security Cameras at Boston’s July 4th Celebration Raise Privacy Concerns

One thing you can expect to see in Boston on this Fourth of July: many, many more police than usual — and many more security cameras too. Law enforcement is responding aggressively to the the security issues raised by the marathon bombings, and the ACLU of Massachusetts is raising privacy concerns. Massachusetts State Police Superintendent Col. Timothy Alben said security cameras are being deployed at and around the Fourth of July events in unprecedented numbers. Operated wirelessly, the cameras’ recordings will be downloaded to a central server, he said, where, from a technical point of view at least, they could be kept indefinitely. “We haven’t developed a policy on how long we’ll keep it,” Col. Alben said. “I think again we did a lot of this in preparation for this particular event. And, as we move forward, we’ll refine the policy, I think, on keeping it.” That lack of refinement has the ACLU of Massachusetts concerned. Kade Crockford, who directs the group’s Technology for Liberty Project, says it is legitimate for law enforcement to deploy such cameras to protect safety at big public events. “That said, I think it’s very troubling that the police do not have a policy to govern the use of these cameras,” she said. Most police which use surveillance cameras do have such policies, Crockford noted. They are needed, she said, to ensure that free-speech protected activities — including anti-federal surveillance protests scheduled for the Fourth of July — are not monitored illegally. [Source]

Location

US – Data Brokers Are Now Selling Your Car’s Location for $10 Online

Forbes reports on the business of license-plate recognition. One data broker, TLO, announced recently it has begun selling location information on license plates that have been filed and identified, and police have started using the technology to track suspects. TLO’s “massive” database claims to add up to 50 million new vehicle sightings each month. “One possible longer term issue around license-plate recognition is that new firms in the field seeking to gain market share could gather specific data such as who was visiting what churches or mosques, underground clubs or medical clinics and perhaps distribute that information more freely than companies now do,” the report states. [Source]

US – States Move on Laws Requiring Warrants for Cellphone Records

The New York Times reports on a recently passed Montana bill that requires police to obtain a search warrant before determining a suspect’s location based on cellphone carrier records. Realizing the value of metadata and the ability of cellphones to track our daily movements, Montana’s governor signed the location information privacy bill—reportedly the first of its kind in the nation—into law on May 6. Other states are working to pass similar bills. Maine’s version is on its way to the governor’s desk, and Massachusetts will hold a legislative hearing on a similar measure next week. [Source] [Source]

Online Privacy

WW – W3C Rejects Ad Industry’s DNT Proposal

The World Wide Web Consortium (W3C) has rejected the Digital Advertising Alliance’s (DAA) draft proposal for a universal Do-Not-Track standard. W3C said the DAA proposal was “less protective of privacy and user choice than their earlier initiatives.” The group says it will instead work from the “June draft,” though even privacy advocates say the draft faces “insurmountable obstacles to adoption by the deadline at the end of this month.” [AdAge] [Daily Examiner] [MediaPost: Mozilla Questions IAB’s Do-Not-Track Estimates] [As the Do Not Track standard unravels, privacy alternatives emerge]

WW – Do-Not-Track Continues To Spark Fires

Microsoft’s newest version of Internet Explorer (IE) allows users to grant permission for specific websites to log their movements. IE11 was debuted in the Windows 8.1 preview last week and features a default Do-Not-Track setting with a “user-granted exceptions” option. Meanwhile, following criticism over its plans to move forward with a project to block third-party cookies in the Firefox browser, Mozilla’s Harvey Anderson said there’s “no constitutional right that allows people to modify my computer.” The Digital Advertising Alliance has called the proposal “draconian.” [IT Pro]

WW – Twitter Adopts DNT by Default

Twitter will begin using cookies to track users and deliver advertising, but because its program abides by Do-Not-Track settings and has a clear opt-out, privacy advocates are praising it. An Electronic Frontier Foundation activist said in a blog post, “We think Twitter is setting an important example for the Internet: It is possible to exist in an ecosystem of tailored advertisements and online tracking while also giving users an easy and meaningful opt-out choice.” Meanwhile, Vine, a video-sharing site owned by Twitter, has added privacy settings to its services—including the ability to make Vines private. [PC Pro]

WW – Facebook Rolls Out Graph Search to Millions

Several hundreds of millions of people will have access to Facebook’s Graph Search beginning this week, six months after its beta testing. The tool is “designed to take any open-ended query and give you links that might have answers,” according to Facebook CEO Mark Zuckerberg. Upon its initial release, the tool prompted concerns that it would compromise the privacy rights of minors. It “makes paying attention to privacy settings much more important if you don’t want embarrassing photos from years ago dredged up or your public contact information scraped,” the report states. [Tech Crunch] SEE ALSO: [Facebook defends Graph Search’s privacy controls for teens | Facebook blog post] and [Facebook’s new promoted-post feature sparks privacy concerns] and also: [How To Opt Out of Receiving Facebook Ads Based on Your Real-Life Shopping Activity]

Other Jurisdictions

AU – Media Companies Told to Adapt to Australia’s New Digital Privacy Laws

Changes to the Privacy Act mean digital publishers face fines of more than $1 million unless they are transparent about personal data they collect and use. The new rules come as the traditional print media targets users who now prefer to use mobile devices through social media sites like Facebook and Twitter. The warning is highlighted in a report released by the consulting group PricewaterhouseCoopers. [Source]

IN – Gov’t Surveillance Raises Trust Concerns

The New York Times reports on India’s Centralized Monitoring System—its new surveillance program—and whether citizens can trust that the government will not infringe on their privacy. The government has said it will abide by laws mandating that it receive proper authorization prior to intercepting communications and that privacy will be better protected. “But there are a host of reasons why the citizens of India should be skeptical of those official claims,” the report states. [Source]

Privacy (US)

US – How First PCLOB Meeting Affects Private Firms

At the Privacy and Civil Liberties Oversight Board’s first public meeting since its reemergence under new Chairman David Medine, the focus was very precise: What direct and concrete improvements could be made to improve “Surveillance Programs Operated Pursuant to Section 215 of the USA PATRIOT Act and Section 702 of Foreign Intelligence Surveillance Act.” Ideas generated included making the FISA Court adversarial, decreasing the vagueness around “data minimization ,” instituting a data retention law and a number of other suggestions. [The Privacy Advisor]

US – Judge Grants Chevron Access to Activists’ Online Data

A U.S. federal judge has ruled to allow Chevron, via subpoena to Microsoft, Google and Yahoo, access to the IP usage records of more than 100 environmental activists, journalists and attorneys. The company has requested the records to piece together a lawsuit alleging the oil company was the victim of a conspiracy ending up in an $18.2 billion judgment against it for the dumping of 18.5 billion gallons of oil waste in the Ecuadorean Amazon, the report states. The Electronic Frontier Foundation’s Marcia Hoffman said, “These sweeping subpoenas create a chilling effect among those who have spoken out…” The subpoena, according to ERI, requests personal information of each account holder and every login over a nine-year period. [Common Dreams]

US – The Future of Consumer Privacy Class Actions

The New York Law Journal explores the potential future of consumer privacy class-action lawsuits in light of the recent comScore decision, noting that it and “other recent decisions allowing privacy cases to proceed in the absence of actual damages suggest that the legal landscape may be changing, and that privacy could be the next significant frontier in class-action litigation.” Meanwhile, The Sun Sentinel reports malpractice lawyers have argued that a new Florida law, Ch. 2013-108, may violate patient privacy. [Source]

US – Children’s Privacy Suits To Be Heard in NJ

The U.S. Judicial Panel on Multidistrict Legislation has sent six class-action lawsuits alleging Google and Viacom “violate children’s privacy by using cookies to track their Internet use and target them for ads” to New Jersey to be heard. A nationwide class-action was filed back in December in Texas by Stephanie Fryar, who “claimed that when her sons registered and created profiles on three Viacom-operated websites…the defendants placed a doubleclick.net cookie ‘id’ on the children’s computers to track their communications to those websites and others,” the report states, noting similar cases were filed in California, Illinois, Missouri, New Jersey and Pennsylvania. [Courthouse News Service] [National Law Journal]

US – Leslie Harris to Step Down at CDT

Leslie Harris, who has headed the Center for Democracy & Technology (CDT) since 2005, announced this month that she will resign from her post in March of 2014, just as the CDT celebrates its 20th anniversary. Harris made it clear that she is not retiring but rather “right-sizing,” and she is hardly done with her work in the privacy arena. Hear her thoughts on CPOs’ human rights obligations, the status of current legislation, where CDT goes from here and more. [Source]

US – DHS Secretary Napolitano Resigns to Head University of California System

Homeland Security Secretary Janet Napolitano, who led the burgeoning Department of Homeland Security through a host of policy changes in the era after the Sept. 11, 2001 attacks on the U.S., is resigning to head the University of California system. Napolitano, just the third person to lead the 10-year-old department, told her senior staff Friday she would be leaving to become the president of the University of California system. The university also announced Napolitano’s nomination to be the 20th president of the statewide system. A former Arizona governor and attorney general, Napolitano was appointed by President Barack Obama in 2008. She had led the department through a series of policy changes with respect to protecting the public safety, including a focus on enforcing immigration laws. [Source]

Privacy Enhancing Technologies (PETs)

WW – Pirate Bay Founder Aims to Create Spy-Proof Messaging App

It took 36 hours for users to contribute $100,000 to fund an app designed to avoid government spy agencies. The app, called Heml.is, is Swedish for “secret.” It aims to give users an alternative to major tech companies. “We’re building a message app where no one can listen in, not even us,” the creators said of the product. Pirate Bay founder Peter Sunde is working with app developers to create a mobile messaging application that uses end-to-end encryption, which means that only the sender and the recipient will be able to read messages. Sunde says there will not be ads on the app and that it will not sell user data to advertisers. The funding will come solely from users, who will have to pay extra to use certain features, such as sending images. [CNET] [ComputerWorld] [Source] See also: [Kremlin Returns to Typewriters]

WW – New Privacy Enhancing Technology Preserves Web Anonymity and Privacy

Ontario’s Information and Privacy Commissioner, Dr. Ann Cavoukian, presented the 2013 Award for Outstanding Research in Privacy Enhancing Technologies (PET) Award via video at Indiana University in Bloomington, Indiana. Dr. Cavoukian and Microsoft co-sponsor of the award, which was created in 2003 to encourage the development of technology to protect privacy, rather than to threaten it. The winners are selected by a global panel of leading technology researchers. The winning paper “Adversarial Stylometry: Circumventing Authorship Recognition to Preserve Privacy and Anonymity” is based on research conducted by Sadia Afroz, Michael Brennan, and Rachel Greenstadt. The paper examined methods for defeating stylometry which has recently been revolutionized online with advances in computer algorithms. The privacy concern which arise from stylometry is that it can be used to reliably link anonymous or pseudonymous text to identifiable individuals. In order to lessen these risks, the authors developed software called “Anonymouth” that assists users by suggesting modifications to their text defeat stylometry. [Source] [More information about the privacy technology awards]

UK – Anonymisation Network Launched at University of Manchester

The University of Manchester has launched a new expert network that will help businesses to safely manage and share sensitive information. The UK Anonymisation Network (UKAN) was supported by the University and is now led by Dr Mark Elliot, who is based at The University of Manchester’s School of Social Sciences. Funding was provided by the UK Information Commissioner, while the Open Data Institute also offered support alongside the Office for National Statistics and the University of Southampton. UKAN will provide advice to organisations and companies on how to reduce the risks around holding personal details of individuals and the inadvertent sharing of data. The network aims to lay a foundation of best practice for anonymisation and give advice to anyone who handles sensitive data, especially those in health, education and policing.  UKAN will help to deliver the Government’s Transparency Initiative, which hopes to dispel any culture of data secrecy within Government departments, public bodies, businesses and other organisations.“The network will also provide important best practice advice on how data can be successfully anonymised in compliance with the UK Data Protection Act,“ said Christopher Graham, UK Privacy Commissioner. [Source]

Security

WW – Chinese CERT Reports Increases in Mobile Malware – 80% on Android

According to data from the National Computer Network Emergency Response Team/Coordination Center of China (CNCERT/CC), China experienced a 25-fold increase in detected mobile malware samples between 2011 and 2012. More than 80% of the malware samples targeted Android devices. Forty percent of the malware was designed to launch fee-based services on the mobile devices. CNCERT/CC also reported that in 2012, 73,000 Trojan and botnet command-and-control servers hijacked 14.2 million host machines in that country. [ComputerWorld] [ZDNet] [PCWprld] See also: [Critical Android Flaw Lets Attackers Insert Code Into Signed Apps] and [South Korean Defense Ministry to Prohibit Certain Smartphone Functionality]

US – CTO Tests Company Employee’s Phishing Smarts

Several weeks ago, the chief technology officer at Atlantic Media sent out a phony phishing email to all 450 company employees. The message appeared to come from Google Apps and asked recipients to click on a link to confirm their account information. When the employees clicked on the link, they were taken to a website that revealed the security test. About 120 employees clicked on the link. Another 120 opened the message but did not click on the link. CTO Tom Cochran noted, “Telling someone that something is bad can happen is not as good as demonstrating it.” The remaining employees either called or messaged Cochran about the suspicious message, and some flagged it in their inboxes. While Cochran believes in the value of security education for employees, Bruce Schneier says they are a waste of companies’ time and money, because “you’re only as strong as your worst offender.” Schneier noted that a better choice would be “investment in systems that take user mistakes out of the loop.” [SCMagazine]

US – Symantec Releases Mobile Privacy Product

Symantec has released a new privacy product capable of scanning a mobile device for data an application may be leaking about the user. Norton Mobile Security for Android devices checks for “malicious applications, privacy risks and potentially risky behavior.” While Norton’s suite of mobile security products have typically focused on malicious threats, Michael Lin, vice president of Symantec Mobility Solutions, said that this latest solution reacts to the fact that “now we are seeing threats impact mobile applications and data being shared without the user’s knowledge or consent.” This latest product aims to “protect users from these types of privacy threats as well.” [Source]

Surveillance

WW – Spying Reports Give Momentum to ECPA Reforms, Spur Legal Actions

Revelations about the U.S. NSA surveillance of domestic and foreign communications should add momentum to the already politically charged atmosphere surrounding updates to the U.S. Electronic Communications Privacy Act—and on both sides of the aisle, Politico reports. Already, Senate Judiciary Committee Chairman Patrick Leahy (D-VT) has co-sponsored a reform bill, and House Judiciary Committee Chairman Bob Goodlatte (R-VA) has pledged to make the issue a priority. In the UK, lawyers for Privacy International have filed legal papers calling for an immediate suspension of Britain’s use of material from the NSA’s PRISM program, and in the U.S., The New York Times reports on EPIC’s plans to file an emergency petition with the Supreme Court today asking that it stop the NSA’s surveillance program altogether. The Hill discusses “five unanswered questions about the NSA’s surveillance programs,” including the scope of the programs, additional data being collected under the USA PATRIOT Act and other programs the public may not be aware of, and The Guardian reports on the NSA’s bumpy ride at a recruitment drive on a U.S. college campus last week. See also [‘America has no functioning democracy’ – Jimmy Carter on NSA

EU – EU Officials, U.S. Privacy Group Seek Answers, Action

PC World reports the “European Parliament gave European Commissioners and national ministers some extra ammunition Thursday in discussions with the U.S. following allegations about American spying and the PRISM scandal: possible suspension of data-sharing agreements.” The European Parliament is asking the U.S. “to provide full disclosure of any spying activities” and has established an inquiry to review the allegations, but it “stopped short of suspending bilateral trade talks due to start on Monday,” the report states. Meanwhile, the European Commission has written to the UK for answers about its surveillance program, Tempora. In the U.S., the Electronic Privacy Information Center’s Domestic Surveillance Project announced Thursday that it plans to file a petition with the Supreme Court “to vacate the Foreign Surveillance Intelligence Court ruling” authorizing the NSA’s collection of metadata on U.S. phone calls. [Source] SEE ALSO: [Claims that France has Internet spying program similar to America’s hugely embarrassing to Hollande]

EU – German Chancellor Calls for New ISP Agreement; NSA Fallout Continues

German Chancellor Angela Merkel has called for a strict European agreement on data protection that would require all ISPs operating in Europe to reveal the personal information they keep and with whom they share it. Merkel has suggested that the requirement could be codified within the International Covenant on Civil and Political Rights, but there’s some doubt as to the feasibility of that. Meanwhile, EU Justice Commissioner Viviane Reding said revelations surrounding the U.S. National Security Agency’s surveillance program helped add momentum to the case of those already calling for stronger data protection measures in the EU. Meanwhile, Politico reports on privacy issues’ impact on U.S.-EU trade talks. [CNN] See also: [No Feds at DEF CON, What Comes Next?]

US – Brick-and-Mortar Tracking on the Rise

Last year, department store Nordstrom sought to learn more about its customers by testing a new technology that allowed it to track customers’ movements via the WiFi signals from their cell phones. But when it posted a sign telling customers they were being tracked, it heard complaints and eventually ended the program. “The creepy thing isn’t the privacy violation, it’s how much they can infer,” said one shopper. An increasing number of businesses now offer the technology for brick-and-mortar shops to track users like digital shops can. Meanwhile, the ACLU has criticized AT&T’s plans to sell anonymous customer location data, saying customers can be identified. [The New York Times] [Senator Franken Letter to Euclid] See also: [TTC suspends covert camera use]

Telecom / TV

US – AT&T Privacy Policy Updated, May Start Selling Anonymous User Data

AT&T has a new privacy policy and may begin selling anonymized user data to third parties. The company cites “more relevant advertising” as its reason for selling the data, joining other big tech companies in the practice. AT&T will offer customers the opportunity to opt out, and plans to sell demographic and device information as well as information on viewing behavior through its television service. Pointing to Verizon’s use of consumer data, AT&T’s privacy policy states, “we similarly plan to provide our customers with these sorts of personalized services, and we’re committed to doing so in line with our long-standing policy to respect and protect our customers’ privacy.” [Slashgear]

US Government Programs

US – NSA Files Show Microsoft Encryption Was Bypassed

The Guardian reports on documents obtained from Edward Snowden on the U.S. National Security Agency’s (NSA) surveillance programs that indicate encryption was bypassed to access documents. The documents show “Microsoft helped the NSA to circumvent its encryption” and the NSA had “pre-encryption stage access to e-mail on Outlook.com, including Hotmail,” the report states. Microsoft has responded, “When we upgrade or update products, we aren’t absolved from the need to comply with existing or future lawful demands,” noting customer information is only provided “in response to government demands, and we only ever comply with orders for requests about specific accounts or identifiers.” Meanwhile, The New York Times reports that Sen. Ron Wyden (D-OR) has said he believes the NSA may soon abandon the practice of collecting bulk phone records.[Source] See also: [US-Made Internet Monitoring Tools Detected on Networks in Sudan, Iran, and Syria]

US – FISA Court Wants Obama to Declassify Yahoo Case

The U.S. Foreign Intelligence Surveillance Court has ordered the Justice Department to review a 2008 secret court opinion—allegedly requiring Yahoo to turn over online communications of its consumers—to determine how much it can publicly release. Judge Reggie B. Walton also called on the Justice Department to review the arguments Yahoo and the government made in the case. Walton would then publicly release the court’s justification. Meanwhile, the Electronic Frontier Foundation has recognized Yahoo “with a star of special distinction” in their Who Has Your Back survey “for fighting for its users in (secret) courts.” [The Washington Post] See also: [For NSA chief, terrorist threat drives passion to ‘collect it all,’ observers say] [Can Gov’t Safely Use FISA To Justify Surveillance?]

US – Postal Service Tracking, Retaining Images of Mail

The New York Times reports on a little-known but long-running surveillance system by the United States Postal Service (USPS). Leslie James Pickering, a bookstore owner who, a decade ago, was spokesman for a radical environmental group flagged by the FBI as eco-terrorists, noticed a handwritten card mistakingly delivered with his mail stating any mail headed to his address should be shown to a supervisor first. He was being tracked by the Mail Isolation Control and Tracking program, in which the USPS photographs the exterior of every piece of paper mail processed in the U.S. The more-than-a-century-old program provides such images to law enforcement officials who request them, the report states. [Source]

US – Updated COPPA Rules Now in Effect

The US Federal Trade Commission’s (FTC’s) revised rules for the Children’s Online Privacy Protection Act of 1998 (COPPA) took effect on July 1, 2013. The law prohibits the collection of personal data from children without first obtaining verifiable parental consent. It also requires websites to have clear and accessible privacy policies, and to ensure the security of information it collects from children under age 13. The updated rules specify that personal information now includes “geolocation information and persistent identifiers that can be used to recognize a user over time and across different websites or online services,” and photos, videos, and sound recordings. COPPA applies to smartphone apps as well as websites. [Information Week] [COPPA Amendments]

US – NPPC Joins in Lawsuit over EPA Privacy Breach

The American Farm Bureau Federation and the National Pork Producers Council (NPPC) have jointly filed a federal lawsuit and temporary restraining order to halt disclosures of farmers’ personal information by the U.S. Environmental Protection Agency (EPA). The move comes after the EPA released the personal information of tens of thousands of farmers, including names, addresses and personal contact information, after a number of Freedom of Information requests by animal rights groups. Filed before the U.S. District Court for the District of Minnesota, the order seeks to stop the disclosures and clarify the EPA’s role in keeping personal data private in such circumstances. [National Hog Farmer]

US Legislation

US – Florida Attorneys Work to Overturn Malpractice Law

Five lawsuits filed in state and federal courts on Monday claim a new Florida state law (SB 1792) violates patients’ privacy rights. The law, which went into effect on Monday, aims to protect doctors facing malpractice suits and, according to one complaint, authorizes “unlimited and unfettered release of personal health information to those defendants without the valid consent of claimants.” “The law allows—but does not require—any healthcare provider called as a witness to breach patient confidentiality and give the defendant’s attorneys information about a patient’s treatment,” reports The Miami Herald. The provision applies only to the pre-filing informal fact-finding period; once a suit is filed, court rules apply.The suits, filed in Tallahassee, West Palm Beach and Miami federal courts and in state courts in Pensacola and Fort Lauderdale, claim this provision contravenes HIPAA.

US – Missouri Gov. Vetoes Workers’ Compensation Database

Missouri Gov. Jay Nixon axed a bill that would have created a database of workers who have filed workers’ compensation claims in the state. The law would’ve allowed employers to input job applicants’ names and Social Security numbers into the database to see whether they had filed a claim, the date of the claim and its status. According to a report in The Republic, Missouri’s Division of Workers’ Compensation estimated the database would start out with 554,000 records, adding about 13,000 per year.

US – Senate Issues Draft Cybersecurity Bill

The US Senate is circulating a draft cybersecurity bill. A similar measure failed last year. The bill aims to establish voluntary cybersecurity standards for organizations that operate elements of the country’s critical infrastructure. It also calls for increased research and development in cybersecurity defenses and increased software vulnerability information sharing. [NextGov] [The Register]

Workplace Privacy

US – Court Ruling Impacts BYOD

What happens to an employee’s expectation of privacy regarding her personal e-mails on her company-issued Blackberry after she leaves the company? If a recent ruling by the U.S. District Court for the Northern District of Ohio stands up to further scrutiny, the answer could be that a former employee has greater expectations of privacy after her departure than while she was still employed. In Lazette v. Kulmatycki, the court ruled the Stored Communications Act (SCA) applies to unauthorized access of employees’ personal e-mail accounts, among other determinations. [Source]

CA – Enforcement of Privacy Policy in Steel v. Coast Capital Savings Credit Union

In a recent decision of the British Columbia Supreme Court, the Court upheld the termination for cause of a help desk analyst in the IT department who had been employed for over 20 years at Coast Capital Savings Credit Union. (Steel v. Coast Capital Savings Credit Union, 2013 BCSC 527) Employees at Coast were permitted to have a personal folder in which they would keep confidential business documents. Under the privacy policy at Coast, the files in the personal folder could only be read or edited by the employee who had the folder. Help desk employees were allowed to access personal folders but could only do so to resolve a technical problem and only if the employee who had the personal folder first gave permission to the help desk to access the folder. The restrictions on access to personal folders were clearly set out in the privacy policy at Coast. An employee tried to open a confidential spreadsheet in her personal folder. She got a message on her screen that the document was already in use by the help desk. The document in question was a waiting list of employees for parking spots. This was a confidential document that had information about employees’ seniority and rates of pay. The help desk employee had not requested permission to view the document in the other employee’s personal folder. She accessed it because she was curious about the waiting list for parking. Coast terminated her employment on the basis of breach of the trust “that is required in a position that holds access to confidential and private information.” Coast stated that it no longer had confidence in her. The Supreme Court decided that the help desk employee was in a position of trust because she was “given the ability to access confidential documents” as a result of her position on the help desk. She was not allowed to do that without the consent of the other employee. The Court stated that, “the employer had to trust Ms. Steel to obey its policies and follow the protocols. It had to trust Ms. Steel to only access such documents as part of the performance of her duties and follow the protocols when she did so. Such trust was fundamental to the employment relationship in relation to Ms. Steel’s position.” Accordingly, the Court upheld the termination for cause. The Court’s decision to uphold the termination for cause of an employee with over 20 years of service for a single breach of the privacy policy is a clear indication that Courts are prepared to treat privacy issues very seriously. If employees in a position of trust violate privacy policies, they may well be subject to termination for cause. [Source]

US – BYOD Spurs Worker Worry About Personal Privacy

Employers aren’t the only ones worried about workers using their own mobile devices in the office, new research shows. A study by network access solutions provider Aruba Networks revealed that BYOD , which is the term used for employees using personal smartphones and tablets for work purposes, is causing workers to be fearful of their employer checking out their personal information. Specifically, 45% of U.S. workers worry about giving their company’s IT department access to their personal data, and 46% said they would feel violated if their IT staff were to access any personal information contained on their mobile devices. The research found that these concerns are leading many employees to keep their personal devices away from the IT department, thus putting company data at risk. Nearly 20% of U.S. workers have not told their employers that they use a personal mobile device for work. The study discovered that some employees are so insistent on keeping their mobile-device use private that they would delay or fail to inform their employer about a data breach. More than 10% of those surveyed would not report that their personal device had been compromised, even if it leaked company data, and 36% would wait before reporting the data breach. [Source]

UK – Home Office Asks Supreme Court to Make Landmark Privacy Ruling

Britain’s Supreme Court judges are being asked to make a controversial ruling on whether the criminal records disclosure system infringes the human rights of some former offenders, preventing them from getting jobs. Home Office lawyers are asking the Supreme Court justices to overturn an Appeal Court ruling that the records disclosure system violated the human rights of some people who argue that previous incidents, where they got into trouble with the police, should be kept secret. Lawyers say the hearing later this month will result in one of the UK’s most important privacy rulings to date and could further provoke critics of human rights laws who are already angry at a recent European Court ruling that criticised Britain for its system of indeterminate life sentences for people convicted of the most serious offences, including multiple murders. Some MPs have argued for tightening rules on the reporting of convictions, particularly serious ones, to deter offenders from even applying for jobs working with the vulnerable. But civil liberties campaigners claim the existing rules mean that teenage “indiscretions” can blight employment prospects for a lifetime. The Appeal Court said the records disclosure regime legitimately sought to protect employers and children or vulnerable adults, but held that the disclosure of all convictions and cautions was “disproportionate” to that aim. An independent review of the disclosure regime has already recommended the introduction of a filter to remove minor and old convictions where appropriate, but the Government says it is still considering the issue. The UK government has already faced criticism from Strasbourg on this issue after it ruled that blanket notification rules imposed on sex offenders without the possibility of review breached their human rights. David Cameron described that decision as “appalling”. The far-reaching implications of any Supreme Court ruling became clear after The IoS learnt that vetting checks on people applying for jobs in “caring professions” have turned up almost a quarter of a million crimes in the past two years alone. Nick Pickles, director of the civil liberties group Big Brother Watch, said: “The risk-averse culture within the public sector has meant people struggle to get a second chance if they have any blemish on their past.” [Source]

+++

16-30 June 2013

Canada

CA – Poor Data Breach Tracking, Reporting Concerns Privacy Commissioner

Canada’s privacy czar has singled out several federal departments for their lacklustre approach to data breaches, citing a need for better reporting, security and tracking protocols. Jennifer Stoddart’s office has compiled a preliminary list of agencies with potentially worrisome patterns when it comes to the loss of Canadians’ personal information. The analysis is based on departmental figures tabled in Parliament in April in response to a question from New Democrat MP Charlie Angus. The response indicated there were more than 3,000 data breaches over a 10-year period affecting about 725,000 Canadians. After taking a close look at the numbers, the privacy commissioner identified nine departments and agencies that may lack adequate reporting mechanisms, have faulty security procedures or require improved tracking protocols. During a recent meeting, Stoddart urged Treasury Board President Tony Clement to amend privacy law to make reporting of federal data breaches mandatory. [Source]

CA – Gun Registry Data to Be Deleted in Quebec: Court

A Quebec court has sided with the Harper government, saying the province has no right to the federal long-gun registry data. Quebec’s highest court has ruled against the provincial government, which is trying to save data for that province from being destroyed. “Quebec has no property right in the data,” said the 14-page verdict. The data does not belong to Quebec, and the provinces have no control over it. The Parliament of Canada, which considers the data at issue to be pointless and inefficient, and believes that its existence in a registry infringes the right to privacy, can certainly decide to stop compiling and preserving that information,” it noted. Various observers have predicted the issue will wind up before the Supreme Court. The long-gun registry was scrapped in the rest of Canada last year, but remains operational in Quebec following a series of injunctions safeguarding the Quebec data and ordering the registry be maintained while the federal-provincial battle plays out in court. [Source]

CA – Saskatchewan Privacy Rights in Lag Behind Rest of West: Report

Saskatchewan’s Information and Privacy Commissioner says this province is lagging behind its neighbours in Western Canada in both privacy and access to information matters. Gary Dickson, who released his final annual report this week, says citizens of British Columbia and Alberta have stronger rights in these areas than people in Saskatchewan. His second five-year term as information and privacy commissioner ends April 27, 2014. In his report, Dickson says when it comes to access and privacy, “Saskatchewan is still a have-not province.” Dickson said he’d like to see administrative responsibility for privacy and access cases be moved out of the Ministry of Justice, citing concerns that the ministry takes an adversarial role. Another ministry might be better suited to promoting citizens’ access and privacy rights, he said. [Source] SEE ALSO: [Regina police aren’t required to identify pin pad fraud businesses] and [Canadians questioning privacy rights]

CA – Alberta Commissioner Rules Against Secret Trucker Database

This recent decision of the Privacy Commissioner of Alberta (Professional Drivers Bureau of Canada Inc. Case File Number P1884) deals with the collection of personal information of truck drivers by a private service company, called the “Professional Drivers Bureau”. This company collected personal information about drivers from trucking companies, created a database of information, and then offered a search service, by which trucking companies paid a fee for a report on the driver. In that report, the personal information about the driver was disclosed to the trucking company. The personal information was gleaned and compiled into a database over a long period of time, and it became clear during the Commissioner’s investigation that the individuals never consented to this collection, use and disclosure. The Commissioner ultimately decided that the “Professional Drivers Bureau” was in breach of Alberta privacy laws because it never obtained consent directly from the individual truck drivers. [Source]

CA – Alberta Premier Wants Anonymous Online Tool to Report Bullying

Alberta could soon move to implement a system to allow for anonymous online reporting of bullying in real-time and is also looking to give police enhanced powers to combat the harassment and abuse of young people, says Premier Alison Redford. With bullying a hot topic at Monday’s Western Premiers’ Conference, Redford said she would like to follow the path of British Columbia, which brought in an online reporting mechanism as part of its “Erase Bullying” initiative in the wake of the suicide of bullied teenager Amanda Todd. B.C. Premier Christy Clark said the system allows students to report incidents of bullying as they are happening. School personnel are notified immediately as are emergency personnel, if necessary, she told reporters at the premiers’ closing news conference. As a followup, professionals at the district level connect with the school to provide support in dealing with the bully and the victim appropriately. “The important thing about this, though, is that it’s not an app that you load on to your iPhone, because kids don’t want to have a fink app on their iPhone. “It’s an online reporting tool that you can go to on the web,” said Clark, who said there are “thousands” of cases of bullying occurring daily, but youth are afraid to report them because of the potential for retribution. [Source]

Consumer

US – Retailer Sued for Collecting Customer Zip Codes

Urban Outfitters Inc., is facing a class action in Washington federal court over allegations the clothing retailer collected customer zip codes in violation of District of Columbia consumer protection laws. The complaint, filed June 21 in U.S. District Court for the District of Columbia, accused Urban Outfitters Inc. of asking for customer zip codes in a way that implied the information was required to complete a credit card transaction. The plaintiffs claimed Urban Outfitters, which also owns Anthropologie-brand stores, used the zip codes to track down customer addresses for marketing purposes. [Source]

UK – Biz Launches Data-Driven Car Insurance for Youth

UK-based Tesco Bank has launched a new car insurance service that tracks and analyzes driver behavior to determine policy rates. Called Box Insurance, the company places technology in a customer’s vehicle and uses telematics data from the car, which is then sent to the insurer’s data center for analysis. The Association of British Insurers recently posted an advisory note warning that companies must be transparent about their data use, stating, “Consumers need to trust insurers to treat them fairly and protect their personal information.” Tesco has said it will “keep all your data, including driving data, safe and confidential,” adding that it won’t “share driving data with the police or other bodies without a court order or your consent, unless we suspect fraud.” [Information Age]

E-Government

CA – Taxpayers Assured Protection When Lodging Complaints Against Taxman

Canada’s taxpayers’ ombudsman is offering help for people who fear there may be a backlash if they lodge a complaint against the revenue department. Ombudsman J. Paul Dube has made an addition to the Canadian Taxpayers Bill of Rights that says Canadians are entitled to lodge service complaints and request formal reviews without fear of reprisal from the CRA. Dube says the new right was created because some taxpayers fear exercising their rights when dealing with the CRA. [Source] SEE ALSO: [Two CRA employees violated privacy laws for years before being caught, reports show] and [ON: Watchdog slams McGuinty’s office over deleted emails]

US – Plans for Data-Sharing Steeped in Privacy Concerns

Virginia state plans to implement a data system aimed at improving student preparation for college and workforce. The talks have been steeped in privacy concerns surrounding student data, which school officials well understand based on recent news on the National Security Agency’s surveillance methods. “This is not the greatest time in government to be talking about the cool data we collect,” said a spokesman for the Virginia Education Department. “It’s right for parents to be concerned about privacy. We share that concern.” The system would allow agencies to share data to track student progress, helping officials to create policies around the most successful routes. [The Washington Post]

CA – New App Could Let Citizens Report Illegal Parking, Get Cut of Fine

A new app called SpotSquad could soon pay people to report parking infrastions to authorities. The concept is simple, says Chris Johnson, co-founder of the app: when someone sees a parking violation, they simply need to open up the app on their smartphone, upload a photo, choose the type of infraction and submit it – the photo is then sent to regional parking authorities who can dispatch a ticket warden. If the tip results in a fine, tipsters get a cut deposited into their bank accounts or donated to their favourite charities – as much as 10 or 20%, says Johnson. The group haven’t yet struck any deals but say they’re open to working with municipalities and private parking lot operators. A similar app already exists in the U.S. Texas-based Parking Mobility runs a program that allows trained volunteers to take photos of cars parked in disabled spots. Rewards are paid out to charities or parking offender rehabilitation programs. The program works because the organization has spent years negotiating agreements with police departments and cities. The group has also launched a pilot project in Vancouver but results have been disappointing. Unlike in the U.S., tipsters are prohibited from reporting on violations made on private property. The Canadian app, SpotSquad, could open up a legal minefield, according to a Winnipeg lawyer specializing in privacy and social media law. Public sector workers who do similar work are bound by privacy laws, lawyer Brian Bowman told CTV Winnipeg. That wouldn’t be the case with this app. “You are empowering citizens and paying them to arguably act as an agent for you,” he said. [Source]

E-Mail

US –Texas Governor Signs Strict eMail Privacy Bill

Texas Governor Rick Perry has signed House Bill 2268 into law. The measure requires that law enforcement obtain a warrant before snooping on email. The law takes effect immediately. The law makes Texas the first state to have a law that is more stringent that the federal Electronic Communications Privacy Act (ECPA), which requires a warrant only for unopened email that is less than 180 days old. [Source] [Source] SEE ALSO: [GEIST: Is the Government About to Can Its Own Anti-Spam Law?]

EU Developments

EU – France Gives Google 3 Months to Address User Data Privacy Concerns

French data privacy body, Commission Nationale de l’Informatique et des Libertes (CNIL), has given Google three months to implement changes to the way it collects and manages customer data. The commission found Google to be in violation of the French Data Protection Act. CNIL’s June 10 decision lists the changes it expects from Google, including explaining to users how the data they collect will be used, and not retaining data beyond the time necessary for the purpose for which they were collected. If Google does not comply with the order, the company could face sanctions. Google is facing enforcement action over privacy practices in several other EU countries, including Spain and Germany. [CNET] [The Register] [ComputerWorld] [Reuters]

EU – Albrecht: Reports Suggest NSA Intercepted Regulation Data

“If the actual revelations on these spying activities are true, then it is completely clear that there have been also interceptions with the activities of this regulation,” German Green MEP Jan Philip Albrecht said of the EU’s draft data protection regulation in response to this weekend’s reports on the U.S. National Security Agency (NSA) allegedly spying on EU activities. Lobbying efforts against the draft regulation by the U.S. government and U.S.-based companies, quoting Albrecht as saying, “Perhaps it’s time to re-discuss once more if we really want to completely exclude national security from the scope of the regulation.” A European Commission spokeswoman has called the weekend allegations “disturbing” and said the European External Action Service has asked Secretary of State John Kerry to respond. [EUObserver] SEE ALSO: [Ars Technica: Students Challenge Firms Over NSA Data Transfers]

EU – Rule Sets Out Data Breach Notification Expectations for Telecoms and ISPs

The European Union has issued new regulations describing the responsibilities of telecommunications companies and ISPs when they experience data breaches. The incidents must be reported to data protection authorities within 24 hours of their discovery. The companies must report the size and nature of the breach, what data were compromised, and what steps they have taken to address the issue with customers. Businesses and consumers will be told of the breach if it “is likely to adversely affect personal data or privacy.” That decision will be made by the national data protection authorities using a test to be provided by the European Commission. Notification of authorities has been required for several years, but the new regulation establishes specific details. Companies can be exempt from the requirements if they encrypt data. [PC World] [ZDNet]

EU – Search Engine Not Controller, EU Court Rules

The EU’s top court ruled that Internet search engines cannot be considered “the controller” of personal data hosted on other websites. EU Court of Justice Advocate General Niilo Jaeaeskinen said in a nonbinding opinion, “A national data protection authority cannot require an Internet search engine service provider to withdraw information from its index.” The case, C-131/12 , stems from approximately 200 orders from Spain’s Data Protection Authority for Google to remove personal data from indexed websites. A spokesman for Google said, “This is a good opinion for free expression…We’re glad to see it supports our long-held view that requiring search engines to suppress ‘legitimate and legal information’ would amount to censorship.” [Bloomberg]

EU – Court Backs Google in Privacy Case

Google must respect EU privacy law but is not obliged to delete sensitive information from its search index, an adviser to the highest EU court said, in a case that tests whether people can have harmful content erased from the Web. The adviser backed the internet search giant’s position that it cannot erase legal content from the internet even if it is harmful to an individual. But he rejected the view of many U.S. internet firms that they are not bound by EU privacy law. “Requesting search engine service providers to suppress legitimate and legal information that has entered the public domain would entail an interference with the freedom of expression,” the Luxembourg-based court said in a statement setting out Advocate General Niilo Jaaskinen’s opinion. While internet-based firms operating in the European Union must adhere to national data protection laws, that did not oblige them to remove personal content produced by third parties, the statement said. “Search engine service providers are not responsible, on the basis of the Data Protection Directive, for personal data appearing on web pages they process.” Lawyers agree that Google’s search algorithms, which hunt and list weblinks based on how relevant they may be, would not be in a position to “know” whether data was personal or not. A final judgment on the case is expected before the end of the year. [Source]

EU – Taking Photos in Private Settings to Be Illegal in Sweden

Sweden has taken the unusual step of making it illegal for take pictures in private environments without permission. The new privacy law takes effect July 1, and it carries with it some strict penalties, ranging from a fine to a jail term of up to  two years. That gives judges some ability to harshly punish someone taking secret video of people in changing rooms, while being more lenient on someone who took otherwise innocent photos in a person’s home. The new law would also make certain other acts illegal, such as installing a camera intended to take secret photos, even if no photos are actually taken. Critics say the law is a bit vague, as everyone’s definition of a private environment is different. A supermarket may be open to the public, but it’s privately owned. Exceptions are made in the law for journalists, though the Swedish Union of Journalists stands in opposition to it. “What’s unfortunate about this law that the parliament has approved is that a professional photographer doesn’t know when he raises the camera to take a picture if he is committing a criminal act or not,” explains board member Stephen Lindholm. “The risk is that pictures that should be taken aren’t because of fear of committing a crime.” [Source]

EU – Italian Garante Concerned About Government Measures

The president of Italy’s Data Protection Authority, the Garante, has voiced concerns about the Italian government’s recent measures aimed at simplifying the country’s data protection code. Garante President Antonello Soro’s concerns are that the government measures are “in breach of the EU Directive, Lisbon Treaty and Italian laws as well.” [Source]

Facts & Stats

WW – Firms Take 10 Hours to Spot Data Breaches, Mcafee Finds

The average organisation believes it would spot a data breach in 10 hours, a McAfee global survey of IT professionals has found. But is that result good, indifferent or an indication of the downright complacent? The firm’s interrogation of 500 decision makers from the US, UK, Germany and Australia earlier this year found that 22% thought they’d need a day to recognise a breach, with one in 20 offering a week as a likely timescale. Just over a third said they would notice data breaches in a matter of minutes, which counts as real-time by today’s standards. In terms of general security, three quarters confidently reckoned they could assess their security in real-time, with about the same number talking up their ability to spot insider threats, perimeter threats and even zero-day malware. All of this was despite 58% admitting they had suffered a data breach in the last year with only a quarter spotting that fact within minutes. When trying to locate the source of the breach – the most important aspect of any detection and remediation regime – a third said it took a day and 16% as long as a week. In McAfee’s view the general optimism buried in some of these numbers belies the probability that many organisations over-estimate both the speed at which they notice breaches and their ability to quickly trace their source. Third parties have backed them up on this, especially a survey from security vendor Trustwave that found that many data breaches take months to spot, with the average being 210 days; 14% take longer than two years. [Source]

MX – Study Highlights Data Breach Concerns

A Unisys study has found that 82% of Mexicans are “very concerned” about data breaches. The study showed that of the survey’s 1,052 respondents, most are concerned about breaches at banks and financial institutions followed by those at healthcare organizations, government agencies and telcos and Internet service providers. “Anxiety related to data breaches in Mexico seems pervasive and continues to persist despite efforts by governments and commercial organizations to secure consumers’ financial data,” the report states. However, the survey also found low reporting for cybercrime. [BNamericas]

Finance

CH – Swiss Court Stops Handover of Credit Suisse Employee’s Data to U.S.

A Swiss court has ordered an injunction halting the transfer of a former Credit Suisse employee’s data to U.S. tax authorities. The ruling highlights Switzerland’s difficulties in balancing traditions of personal privacy against U.S. demands for data from roughly a dozen Swiss banks under formal investigation by U.S. prosecutors. Those banks, including Zurich-based Credit Suisse, have been handing over information on their U.S. dealings for months now, part of efforts to avoid indictment and minimise fines for their role in helping wealthy While these banks have clinched special Swiss government permission to deliver business data – but no client files – parliament failed last week to back a draft law covering the wider Swiss banking industry. While the court ruling is for one person’s data, “it will set a precedent and could be repeated for other employees who had access to U.S. clients.”.[Source] SEE ALSO: [Payment Privacy: Are Untraceable Purchases Ever Okay?] and [Bank’s new cybersecurity audits catch law firms flat-footed]

FOI

US – FISA Court Says Google and Microsoft May Disclose Procedural Information

The US Foreign Intelligence Surveillance Court has granted Microsoft and Google the right to disclose “procedural information” related to their legal challenges of gag orders that accompany national security requests. These orders prohibit the companies from disclosing details about the data they provide to the government. The companies want to clear their names of allegations that they gave the NSA unfettered access to their servers. Both companies say they provide data only when they receive a legal request supported by a court order. [The Register] [Politico] [CNET] [Source] [Source] [Source]

WW – Google Adds Malware Statistics to Transparency Report

Google will be adding statistics about malware to its transparency report. Google’s transparency report currently documents criminal requests and national security requests from governments worldwide, though it does not include requests from the federal government’s FISA regarding Google’s foreign users. Since that court made headlines this month, Google and other tech companies have been trying to contain the public relations crisis that has resulted from revelations that they have been aiding government surveillance efforts when ordered to by the court. Google has since filed a legal motion asking the government to relax its gag order and allow the company to disclose the number of FISA requests it receives. At the same time, Google said it would also be expanding its transparency report to include new numbers around malware and phishing attacks on the Internet. In 2006, Google started searching for, and flagging, suspect Web sites for its users. It is now flagging some 10,000 sites a day. The company said its transparency report would now document how many people see its security warnings each week, where malicious sites were hosted around the world (and by which ISPs), how long it took for Web masters to clean up their sites, and how quickly Web sites got re-infected after they were scrubbed of malware. As an example, during the first week of June, Google detected 37,000 legitimate sites that had been compromised to host malware and 4,000 sites that were created specifically to host malware. Earlier this year, it took websites an average of 50 days to clear themselves of reported malware. Google has been working on gathering relevant statistics for the last six months and that Google would begin updating its transparency report weekly. [The New York Times] [DarkReading] [eWeek] [CNET] [Ars Technica] [h-online] [SC Magazine] [Google.com] SEE ALSO: [Peter Fleischer: Mirror, mirror on the wall, who is the ugliest one of them all?]

Genetics

US – Experts Propose Consolidating DNA Databases

This month an international group of nearly 80 researchers, patient advocates, universities and organizations like the National Institutes of Health announced that it wants to consolidate the world’s databases of DNA and other genetic information, making data easier for researchers to retrieve and share. But the security and privacy of the study subjects are paramount concerns, said Dr. David Altshuler of the Broad Institute of Harvard and M.I.T., a leader of the group. “The problems are not yet solved in any general way,” Dr. Altshuler said. “We want to work to solve them.” For years now, a steady stream of research has eroded scientists’ faith that DNA can be held anonymously. [New York Times]

Health / Medical

WW – Health Group Releases mHealth Study; Privacy in HTML5 Era

A new study by a mobile health advocacy group states there is not a “one-size-fits-all” resolution for mobile privacy legislation. The mHealth Alliance report, Patient Privacy in a Mobile World: A Framework To Address Privacy Law Issues in Mobile Health , also has provided a mobile privacy toolkit for using mobile health technology. The evolving nature of mobile technology “makes it difficult, and some may say ill-advised, to create rigid legal rules that may not fit future mHeath applications or worse that may hamper their development in the first place,” the study states. Meanwhile, CIO reports on how to ensure privacy in the age of HTML5. [Thomson Reuters]

CA – B.C. Health Ministry Told to Strengthen Privacy Practices

Elizabeth Denham ruled that there was a “lack of clear responsibility for privacy within the ministry” at the time of the breaches. She believed this was due, in part, to a lack of clear leadership and clarity of roles. “Ministry privacy governance was further weakened by a complete lack of audit and review of employee and contractor functions relating to privacy,” she wrote. “There were no mechanisms to ensure that researchers were complying with the privacy requirements, as stipulated in contracts and written agreements, and to ensure ministry employees were taking appropriate privacy training and following privacy policies. As a result, ministry employees were able to download large amounts of personal health data on to unencrypted flash drives and share it with unauthorized persons, undetected.” Ms. Denham concluded her report with 11 recommendations, including that the ministry implement technical security measures to prevent unauthorized information transfer; create a program to monitor and audit compliance by employees and contracted researchers; and ensure employees with access to such databases participate in mandatory privacy training. The ministry has accepted and will be implementing all of Ms. Denham’s recommendations, newly appointed Health Minister Terry Lake said. [Source] SEE ALSO: [Doctors experiment with social media and apps] NS [US: Ingestible smart pills are a hard act to swallow] and [UK: Health watchdog destroyed report in maternity hospital to spare its own blushes]

WW – For Sale: Ingestible Computers to Monitor Your Health

A new wave of prescription pills can e-mail your doctor after being swallowed. Ingestible computers in pill-form can now monitor health data and share it wirelessly with doctors. The pills stay intact throughout the intestinal tract and are powered through stomach acids. The Electronic Frontier Foundation says such a pill has wonderful and terrible aspects. “The wonderful is that there are a great number of things you want to know about yourself on a continual basis…The terrible is that health insurance companies could know about the inner workings of your body.” [The New York Times]

Horror Stories

US – AG Report Reveals Breaches Affect 2.5 Million in 2012

According to a first-of-its-kind report released by California Attorney General Kamala Harris, 2.5 million Californians had personal information put at risk because of electronic data breaches in 2012. Had companies encrypted data when sending it outside of a network, 1.4 million Californians would have been protected. Retail establishments were the worst offenders. Noting the dangers inherent to individuals’ privacy, finances and even personal security, Harris said companies and government agencies “must do more to protect people by protecting data.” [Source]

WW – Facebook Says Technical Flaw Exposed 6 Million Users

Facebook has inadvertently exposed six million users’ phone numbers and e-mail addresses to unauthorized viewers over the last year, the company said. Facebook blamed the data leaks, which began in 2012, on a technical flaw in its huge archive of contact information collected from its 1.1 billion users worldwide. As a result of the problem, Facebook users who downloaded contact data for their list of friends obtained additional information that they were not supposed to have. Facebook’s security team was alerted to the problem last week and fixed it within 24 hours. But Facebook did not publicly acknowledge the flaw until the next week, when it published a message on its blog explaining the situation. A Facebook spokesman said the delay was because of a company procedure stipulating that regulators and affected users be notified before making a public announcement. [The New York Times] SEE ALSO: [Facebook’s White Hat Program Helped Uncover Glitch]

CA – BC Lab Loses Personal Info of 16,000 Patients

About 16,000 patients in Kamloops who used LifeLabs’ medical-lab service in the last six years are being warned their personal information may have been compromised. LifeLabs president Sue Paish says a computer was sent to their main office in Burnaby for servicing, and when it was returned the hard drive was missing. The hard drive held the results of ECGs, or electrocardiograms, and was removed sometime last January. Paish issued an apology for the incident and added the information is password protected and requires special equipment to read. Health Minister Terry Lake learned of the breach last week and wonders why it took so long to notify both the government and the privacy commissioner. Lake says he’s been assured by LifeLabs that it won’t happen again. [Source]  Meanwhile, in other news: the personal data of 47,000 Florida teachers was exposed during a data transfer at Florida State University. The personal information was available online for approximately 14 days, according to the state’s Department of Education; Blizzard Entertainment has asked a California federal judge to dismiss a multi-million dollar class-action filed after a data breach, stating the plaintiffs have not alleged “actual harm.” And Seattle: Detective’s stolen laptop puts thousands at risk of identity theft.

US – Carnegie Mellon Publishes Empirical Analysis of Data Breach Litigation

Forbes reports on what organizations can do if they are the unlucky victims of a high-profile data breach. “At a minimum,” the article states, “start providing credit monitoring for victims to reduce litigation risk.” That’s according to researchers at Carnegie Mellon University and Temple University who found a six-fold reduction of being sued in federal court for those who provide credit monitoring. The paper, “Empirical Analysis of Data Breach Litigation ,” also found a 10-fold increase in litigation if the incident was a cyberattack rather than lost or improperly disclosed data. [Source]

Identity Issues

US – Brill Calls for “Reclaim Your Name” Program

Federal Trade Commissioner Julie Brill has called on Congress to legislate a “Reclaim Your Name” program. Suggesting that Big Data brokers are “taking advantage of us without our permission,” the program Brill has called for would establish technical controls allowing users to access the information data controllers have stored about them, then control it and correct it, the report states. The program could work in tandem with the still-being-negotiated Do-Not-Track (DNT) mechanism, Brill said, adding that she urges “the W3C stakeholders to forge ahead and reach consensus” on DNT. The Direct Marketing Association expressed surprise at Brill’s announcement, noting it has been in talks with her recently on increasing transparency. [AdAge] [Text of Speech to CFP] SEE ALSO: [Forbes: Acxiom Access Feature Delayed But Imminent]

CA – Wearing a Mask at a Riot Is Now a Crime

A bill that bans the wearing of masks during a riot or unlawful assembly and carries a maximum 10-year prison sentence with a conviction of the offence became law. Bill C-309, a private member’s bill introduced by Conservative MP Blake Richards in 2011, passed third reading in the Senate on May 23 and was proclaimed law during a royal assent ceremony in the Senate. Richards, MP for Wild Rose, Alta., said the bill is meant to give police an added tool to prevent lawful protests from becoming violent riots, and that it will help police identify people who engage in vandalism or other illegal acts. The bill is something that police, municipal authorities and businesses hit hard by riots in Toronto, Vancouver, Montreal and other cities in recent years, were asking for, according to Richards. The bill creates a new Criminal Code offence that makes it illegal to wear a mask or otherwise conceal your identity during a riot or unlawful assembly. Exceptions can be made if someone can prove they have a “lawful excuse” for covering their face such as religious or medical reasons. The bill originally proposed a penalty of up to five years, but the House of Commons justice committee amended it and doubled the penalty to up to 10 years in prison for committing the offence. Civil liberties advocates argued the measures could create a chilling effect on free speech and that peaceful protesters can unintentionally find themselves involved in an unlawful assembly. They also noted that there are legitimate reasons for wearing masks at protests; some may be worried about reprisals at work, for example, if sighted at a political protest. [Source]

WW – Yahoo Plans to Recycle Dormant User IDs

Yahoo plans to recycle Yahoo user IDs that have been inactive for a year or more. The company is aware of concerns about the old IDs falling into hands of people with malicious intents, but says it is going to “extraordinary lengths to ensure that nothing bad happens to our users.” One concern that has been voiced is that is someone acquiring a Yahoo ID that is linked with someone’s Gmail account could request a password reset for the Gmail account and take control of it. The same thing could potentially be done with social media and financial accounts. Yahoo released a statement noting that “any personal data and private content associated with these accounts will be deleted and will not be accessible to the account holder.” [CNET] [WIRED] SEE [“Own the email, own the person“]

Intellectual Property

US – $675,000 Filesharing Verdict Upheld

The US Court of Appeals for the First Circuit has ruled that a US$675,000 verdict against Joel Tenenbaum for filesharing is justified. In the ruling, the court wrote that although Sony was suing him for just 30 songs, Tenenbaum appears to have made many more songs than that available for sharing. In addition, “During discovery, Tenenbaum lied about his activities. Only at trial did [he] admit that he had distributed as many as five thousand songs.” [Ars Technica] [Document Cloud]

US – US Seized 1,700 Domains Over Three Years in Anti-Piracy Operation

“Operation In Our Sites,” an ongoing effort by US authorities to thwart intellectual property fraud, has seized more than 1,700 websites in the past three years. The offending sites offered illegally streamed sporting events; sold bogus apparel, accessories and counterfeit drugs; and allowed illegal downloads of music and movies. US authorities were
able to seize the sites because the domains – .net, .com, and .org – are controlled by US entities. [WIRED]

US – Pandora Says Music Streams Not Covered By Privacy Law

Pandora is asking the Ninth Circuit Court of Appeals to uphold a decision by a U.S. District Court that the company did not violate a Michigan privacy law by allegedly sharing web users’ music-listening history with their Facebook friends. U.S. District Court Judge Saundra Brown Armstrong dismissed a potential class-action lawsuit that Pandora violated Michigan’s Video Rental Privacy Act by participating in Facebook’s “instant personalization” program. Armstrong ruled the act doesn’t apply when companies “stream” tracks, as opposed to lending, renting or selling them, the report states. The suit’s plaintiff wants his claim revived, but Pandora says Armstrong was correct in her ruling. [MediaPost News]

Law Enforcement

US – FBI Confirms Drone Use, Says It’s Limited

FBI Director Robert Mueller testified to the U.S. Senate that the Federal Bureau of Investigation (FBI) sometimes uses drones for surveillance efforts. “It’s very seldom used and generally used in a particular incident when you need the capability,” Mueller said. “It’s very narrowly focused on particularized cases and particularized needs.” The testimony follows concerns by lawmakers and civil liberties advocates as revelations emerge on the government’s interception of U.S. citizens’ communications via its PRISM program. But the debate on drones has been ongoing. Mueller said the FBI is beginning to formulate privacy guidelines on the technology. [Bloomberg] [Drones Are Easy To Acquire, Lack Regulation]

US – Blood, Spit and Cops: Nationwide Drug Roadblocks Raise Eyebrows

The roadblocks went up at several points in two Alabama towns, about 40 miles on either side of Birmingham. For the next two days, off-duty sheriff’s deputies in St. Clair County, to the east, and Bibb County, to the southwest, flagged down motorists and steered them toward federal highway safety researchers. The researchers asked them a few questions about drinking and drug use and asked them for breath, saliva and blood samples — offering them $10 for saliva and $50 to give blood. It’s not just in Alabama. The roadblocks are part of a national study led by the National Highway Traffic Safety Administration, which is trying to determine how many drivers are on the road with drugs or alcohol in their systems. Similar roadblocks will be erected in dozens of communities across the nation this year, according to the agency. It’s been going on for decades. Previous surveys date to the 1970s. The last one was run in 2007, and it included the collection of blood and saliva samples without apparent controversy, sheriff’s spokesmen in both Alabama counties said. But this time, it’s happening as the Obama administration struggles to explain revelations that U.S. spy organizations have been tracking phone and Internet traffic. Against that backdrop, the NHTSA-backed roadblocks have led to complaints in Alabama about an intrusive federal government. Susan Watson, executive director of the Alabama chapter of the ACLU, called the use of deputies to conduct the survey an “abuse of power.” Even though the survey is voluntary, people still feel they need to comply when asked by a police officer, she said. “How voluntary is it when you have a police officer in uniform flagging you down?” Watson asked. “Are you going to stop? Yes, you’re going to stop.” The agency said the 8,000 drivers expected to take part will do so voluntarily and anonymously, and researchers follow “a highly scientific protocol and complex statistical design in order to accurately reflect the problem nationwide.” [Source]

Offshore

CH – China’s First-Ever National Standard on Data Privacy

The Information Security Technology-Guide for Personal Information Protection within Public and Commercial Systems (“Guidelines”), China’s first-ever national standard for personal data privacy protection, came into effect on February 1, 2013. The Guidelines, while not legally binding, are just what they purport to be – guidelines – some commentators view these as technical guidelines. However, the Guidelines should not be taken lightly as this may be a pre-cursor of new legislation ahead. China is not quite ready to issue new binding legislation, but there are indications it seeks to develop consistency with other internationally accepted practices, especially following recent data legislation enacted in the region by neighboring Hong Kong and other Asian countries. [Mondaq News]

SK – Presidential Office Hacked

A hacking attack on the presidential office has resulted in the leak of 100,000 individuals’ personal information. The information includes names, birth dates, ID numbers and both online and offline addresses, the report states. Users’ registration
numbers—similar to Social Security numbers—were not affected because they were encrypted. The presidential office has issued an apology and is offering compensation to those affected. [ZDNet]

Online Privacy

EU – Working Group: Default Should Be No Tracking

The EU’s International Working Group on Data Protection has released a whitepaper on online behavioral advertising, reports the Electronic Privacy Information Center. The working group says in its release that World Wide Web Consortium efforts to create a Do-Not-Track mechanism could serve as a “sugar pill instead of a proper cure and would such be useless.” The working group recommends that the default setting be that users are not tracked. [Paper] SEE ALSO: [Forbes: The Web Cookie Is Dying. Here’s The Creepier Technology That Comes Next]

WW – W3C Moves Forward on June Draft; Group Launches Privacy Controls

ZDNet reports on two developments in the Do-Not-Track initiative. First, those participating in a World Wide Web Consortium conference call agreed to accept a draft of the standard in an effort to work toward “Last Call,” when the proposal is brought for a vote. The draft is being dubbed the June Draft. Also, Mozilla has teamed up with Stanford’s Center for Internet Society to announce it is launching its own set of privacy controls on the web. Called a “Cookie Clearinghouse,” it will allow users to create and maintain “allow lists” and “block lists,” the report states. [Source]

WW – IAB Disapproves of Cookie Clearinghouse

Mozilla’s involvement with The Center for Internet and Society at Stanford Law School in an effort to improve Internet privacy is a “Kangaroo cookie court” according to the Interactive Advertising Bureau (IAB). The IAB disapproves of the ongoing project called the “Cookie Clearinghouse,” a control system that allows users to maintain a “block” and “allow” list when it comes to cookies. But the IAB says the system “replaces the principle of consumer choice with a ‘Mozilla knows best’ system.” Mozilla said it hopes the IAB and other industry groups will get involved in the project to better the user experience [CNET].

WW – Creepy Facebook Apps Mine Your Profile for Bikini Shots, Break-Up Status

Facebook isn’t to blame. More and more apps built to take advantage of the Facebook social network’s very social tools are hopping the fence from useful and crossing over into downright creepy territory. I looked at several of these apps, which handle tasks such as searching for photos of your friends in their bikinis to notifying you about people who are newly single, to see just how disturbing they are. Some worked more or less as advertised. Others failed miserably, which is good news, as some of the very concepts made my skin crawl. [Source] SEE ALSO: [New York Times: Data You Can Believe In: The Obama Campaign’s Digital Masterminds Cash In]

Other Jurisdictions

IN – CCTV Not Covered in Draft Law

Those whose images are captured via CCTV in public places “will not be able to invoke the proposed privacy law to seek redress.” That is one provision of the draft privacy bill “likely to be tabled in Parliament’s forthcoming session,” the report states, noting the bill does include the creation of a national body to hold individuals, organizations and others accountable for audio and video recording. The bill “addresses the home ministry’s concern that interception laws must not change and that footage from security cameras in public places are kept out of the ambit of the new law,” officials said. [The Indian Express

AU – Breach Notification Laws Fail to Pass Before Break

The Australian Senate has failed to pass mandatory data breach notification reform laws, which were expected to go into effect by March of next year. The Senate has now taken its break until the next election. The proposed law was described by the Australian Law Reform Commission in 2008 as a “long-overdue measure,” Business Spectator reports. The Senate did pass laws last week requiring commonwealth public officials to report suspected wrongdoing, reports The Register. Meanwhile, a new report says that many Australian data-driven firms are using consumer data to support existing beliefs rather than “achieve fresh insights.” [Business Spectator] [AUS: Banks slam new privacy proposal] see also: [NZ: Govt chief information officer role to be expanded]

Privacy (US)

US – NSA Outlines Steps to Reduce Leaks

To prevent Edward Snowden-type leaks, the National Security Agency is considering a number of measures, including reducing the number of systems administrators it employs, NSA Director Keith Alexander says. The agency also is considering requiring individuals with top-secret security clearance to be partnered to access certain classified documents. Testifying on June 18 before the House Select Permanent Committee on Intelligence, Alexander said the NSA employs at least 1,000 systems administrators with security clearances, most of whom are on the payrolls of government contractors. “About 12 to 13 years ago, as we tried to downsize our government workforce, we pushed more of our information technology workforce, our systems administrators, to the contract arena,” Alexander said. “That’s consistent across the intelligence community.” [Source] [ZDNet] [ComputerWorld] [WIRED] [Privacy groups skeptical of plan to limit NSA’s data access]

US – Former NSA Official Says Anti-Leak Technology Not Deployed

A former NSA cybersecurity official said that when he left the agency in the summer of 2012, there was no anti-leak technology on NSA networks. After Bradley Manning’s alleged data theft came to light, the US Department of Defense rolled out a Host Based Security System (HBSS) to detect unauthorized activity on DOD networks. One of the system’s features is to monitor removable data devices, like those allegedly used by Bradley and more recently by Edward Snowden. The official said that the HBSS was not installed on NSA networks as of last summer. He also commented on NSA Director General Keith Alexander’s plan to have the NSA use a two-person rule for data access, saying that it could prove too cumbersome for specialists who need to do fast-paced work, and noted that “the best safeguard would be locking down the content at the source.” [NextGov]

US – Senators Say NSA Inaccurate on Protections

Two senators on the intelligence committee have accused the National Security Agency (NSA) of publicly presenting inaccurate statements about the privacy protections on its surveillance of millions of Internet communications. However, Sens. Ron Wyden (D-OR) and Mark Udall (D-CO) say they cannot identify the inaccuracies within a factsheet without exposing classified information. In a letter written to NSA Director Gen. Keith Alexander, the senators wrote they were “disappointed to see that this factsheet contains an inaccurate statement about how the section 702 authority has been interpreted by the U.S. government…this inaccuracy is significant, as it portrays protections for America